Information Security News | AI Aggregator
Please be mindful of possible hallucinations. Verify information prior to taking action.
Date: 2026-04-23 | Source: The Hacker News
Bitwarden CLI was compromised in a Checkmarx supply chain attack, with the malicious package version @bitwarden/cli@2026.4.0 containing code that exfiltrates sensitive data. The attack exploited a compromised GitHub Action in Bitwarden's CI/CD pipeline. The malicious version was available between 5:57 PM and 7:30 PM (ET) on April 22, 2026. Bitwarden confirmed no end user data was accessed, and a CVE will be issued for the affected version.
2026-04-23 | Cyber Security News: Bitwarden CLI Compromised in Supply Chain Attack via GitHub Actions
Bitwarden CLI version 2026.4.0 was compromised in a supply chain attack via a GitHub Action, exposing millions to credential theft. The malicious file bw1.js targeted GitHub tokens, AWS, Azure, GCP credentials, and more, using public repositories for exfiltration. Organizations should remove the package, rotate exposed credentials, audit for unauthorized changes, and monitor for unusual activity. Long-term measures include restricting token scopes and hardening GitHub Actions.
2026-04-23 | CSO Online: Bitwarden CLI password manager trojanized in supply chain attack
Researchers have identified a supply chain attack that led to a malicious version of Bitwarden CLI (version 2026.4.0) being published on the npm registry. This incident is linked to the group TeamPCP and involved a compromised GitHub Action in Bitwarden’s CI/CD pipeline. The malicious version was not officially released on GitHub and was detected and removed within approximately 1.5 hours on April 22, between 5:57 PM and 7:30 PM ET.
2026-04-24 | Security Affairs: Checkmarx supply chain attack impacts Bitwarden npm distribution path
A supply chain attack linked to Checkmarx compromised Bitwarden's CLI version 2026.4.0, distributing malicious code via a compromised GitHub Action. The attack introduced a preinstall hook that executed a credential harvester and self-propagating worm, targeting sensitive data like SSH keys and cloud credentials. The malicious package was available briefly on April 22, 2026. Bitwarden confirmed no user vault data was compromised and has issued a CVE for the affected version.
Date: 2026-04-23 | Source: The Register
Medical data of approximately 500,000 volunteers from the UK-based Biobank is being sold on Alibaba, as revealed by UK technology minister Ian Murray. Biobank confirmed that while the data is anonymized, there is no guarantee that individuals could not be identified if the data were misused. This issue was discussed in the House of Commons, coinciding with Biobank's acknowledgment of the data breach. Further details are expected to follow.
2026-04-23 | Recorded Future: Medical data of 500,000 Britons put up for sale on Chinese website
Medical data of 500,000 British citizens was listed for sale on Alibaba, according to the UK government. The data, from UK Biobank, included genetic sequences and lifestyle information. Although the listings were removed with Chinese government cooperation, the source was traced to three research institutions, whose access has been revoked. UK Biobank has suspended data access and is implementing new security measures. The incident has been referred to the Information Commissioner's Office for potential fines.
2026-04-23 | The Guardian: Private health records of half a million Britons offered for sale on Chinese website
Confidential health records of 500,000 UK Biobank volunteers were found for sale on Alibaba, confirmed by the UK government. The listings have been removed, and no sales occurred. The data was de-identified, lacking personal identifiers. The UK Biobank has suspended access for three research institutions involved and is pausing further data access until security measures are enhanced. The organization has referred itself to the Information Commissioner’s Office and is implementing upgrades to prevent future data misuse.
2026-04-23 | DIGIT: Medical Data of 500,000 Brits Found for Sale on Alibaba
Medical data of 500,000 UK Biobank volunteers was found for sale on Alibaba. The UK Government confirmed that on April 20, the Biobank reported three listings containing participant data. Immediate action was taken to remove the data, and access was revoked from the identified research institutions. No personal identifiers were included in the listings. The Biobank is conducting an investigation and has temporarily suspended access to its research platform while implementing stricter data export controls.
Date: 2026-04-23 | Source: TechCrunch
Security researchers from Citizen Lab revealed two spying campaigns exploiting vulnerabilities in global telecom infrastructure to track individuals' locations. The campaigns utilized flaws in the SS7 protocol and inadequately implemented Diameter protocol, leveraging access to three telecom providers: 019Mobile, Tango Networks U.K., and Airtel Jersey. One campaign involved sending covert SMS commands to turn targets' phones into tracking devices, a method known as SIMjacker. The findings suggest widespread abuse by surveillance vendors.
2026-04-23 | Recorded Future: Surveillance companies exploiting telecom system to spy on targets’ locations, research shows
Surveillance vendors are exploiting telecom infrastructure to access targets' location data, as reported by Citizen Lab. Two campaigns were identified: one used malicious SMS commands to turn devices into tracking beacons, while the other exploited vulnerabilities in SS7 and Diameter protocols. These attacks target three telecom networks that serve as gateways for unauthorized access. Evidence suggests an Israeli company may be involved. The report highlights the widespread nature of these unauthorized surveillance activities.
2026-04-23 | Cyberscoop: Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities
Campaigns using commercial surveillance tools have exploited telecom vulnerabilities, linking real-world attack traffic to mobile operator signaling infrastructure. Researchers from the University of Toronto's Citizen Lab found that unknown parties mimicked mobile operators, manipulating signaling protocols like SS7 and Diameter. The report raises concerns about accountability in telecommunications, as attackers used identifiers from various global networks. The FCC is investigating these vulnerabilities, while operators deny involvement in the surveillance activities.
2026-04-24 | Cyber Security News: Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide
A Citizen Lab investigation has revealed that hackers exploit vulnerabilities in the 3G SS7 and 4G Diameter protocols to track mobile users globally. Two threat actors, STA1 and STA2, utilize different methods: STA1 manipulates network routing and spoofs operator data, while STA2 employs a zero-click SMS payload to extract location data from devices. The research highlights significant weaknesses in telecom security, urging the industry to abandon outdated trust models and implement stronger cryptographic authentication to protect users.
Date: 2026-04-23 | Source: The Guardian
The UK's National Cyber Security Centre (NCSC) warns that Chinese hackers are exploiting everyday devices, like wifi routers, for espionage. These "covert networks" target vulnerable equipment for surveillance and data theft. The NCSC advises organizations to map IT systems, implement multifactor authentication, and limit external device connections. A group known as Volt Typhoon has infiltrated critical US infrastructure using these tactics. The advisory highlights a significant shift in Chinese cyber tactics.
2026-04-23 | Cybersecurity Dive: China disguises cyberattacks with ‘covert network’ botnets, US and allies warn
Hackers linked to the Chinese government are increasingly using covert networks of compromised routers and IoT devices to obscure their cyberattacks, according to a joint advisory from U.S. and allied agencies. Notable botnets include KV Botnet and Raptor Train, used in attacks on U.S. infrastructure and Taiwan, respectively. Recommendations for defenders include mapping networks, implementing multifactor authentication, and applying zero-trust principles to mitigate risks from these evolving threats.
2026-04-23 | DIGIT: NCSC Warns of Covert China-linked Networks
The NCSC, in collaboration with 15 international partners, has issued an advisory on defending against covert networks linked to China, which exploit compromised internet-connected devices to target critical sectors and steal sensitive data. The advisory highlights the challenge of IOC extinction and emphasizes the need for adaptive, intelligence-driven defenses. Organizations are urged to utilize the Cyber Action Toolkit and pursue Cyber Essentials certification to enhance their security posture.
2026-04-23 | Cyberscoop: A dozen allied agencies say China is building covert hacker networks out of everyday routers
U.S. and allied agencies warned of a shift in Chinese hacker tactics, utilizing large-scale covert networks of compromised devices, particularly SOHO routers and IoT devices, for cyber attacks. The advisory highlights the use of these networks for reconnaissance, malware delivery, and information theft, with examples including groups like Volt Typhoon and Flax Typhoon. Recommendations for defense include active hunting and threat reporting. The advisory emphasizes the sophistication of China's cyber operations and the need for organizations to enhance their cybersecurity practices.
2026-04-23 | The Register: Chinese attackers are pwning your infrastructure to use in attacks, 10 countries warn
A joint advisory from 10 countries, including the UK and US, warns that China-linked threat actors are exploiting compromised routers and IoT devices to create proxy networks for further intrusions and data theft. The advisory highlights the Raptor Train network, managed by Integrity Technology Group, which infected over 200,000 devices. Recommendations for organizations include mapping edge device traffic, implementing multi-factor authentication, and employing zero-trust security controls to combat these threats.
2026-04-24 | Security Affairs: China-linked threat actors use consumer device botnets to evade detection, warn UK and partners
China-linked threat actors are utilizing large botnets of compromised consumer devices, such as routers and cameras, to evade detection and launch cyber attacks. The UK National Cyber Security Centre warns that these covert networks allow for flexible, low-cost operations that blend into normal traffic, complicating detection efforts. Recommendations include mapping traffic, implementing two-factor authentication, and adopting dynamic threat feeds. The Raptor Train botnet, linked to the APT group Flax Typhoon, has compromised over 200,000 devices since May 2020.
2026-04-24 | Help Net Security: Compromised everyday devices power Chinese cyber espionage operations
China-linked threat actors are increasingly using large-scale covert networks, primarily built from compromised routers and IoT devices, for cyber espionage, according to the NCSC. An advisory urges organizations to monitor edge device traffic and implement dynamic threat feed filtering. The NCSC highlighted the role of Chinese firms in maintaining these networks, citing the Integrity Technology Group's involvement in a botnet linked to Flax Typhoon, which affected over 65,000 devices in the EU.
2026-04-24 | Cyber Security News: Hackers Abuse Compromised Routers to Hide China-Linked Cyber Operations
Hackers linked to China are exploiting compromised routers and edge devices to conduct covert cyber operations globally. By using everyday networking equipment as relay points, they obscure their malicious traffic among normal internet activity, complicating detection. This tactic allows for attacks to appear from various locations. The UK's NCSC issued an advisory on April 23, 2026, recommending organizations map edge device traffic, enforce two-factor authentication, and adopt dynamic threat filtering to counter this evolving threat.
Date: 2026-04-23 | Source: The Hacker News
Vercel identified additional compromised customer accounts linked to a breach originating from Context.ai, where a Vercel employee's Google Workspace account was hijacked. The investigation revealed prior compromises possibly due to social engineering or malware. Affected parties were notified, but the number of impacted customers remains undisclosed. The breach highlights risks associated with OAuth integrations and unauthorized AI tool usage. Vercel emphasized the need for rapid response to mitigate threats rather than solely focusing on prevention.
2026-04-23 | Cyber Security News: Vercel Confirms Security Breach – Set of Customer Account Compromised
Vercel disclosed a security breach on April 19, 2026, after unauthorized access to its internal systems via a compromised Google Workspace OAuth application from Context.ai. The attacker exploited a Lumma Stealer malware infection to hijack a Vercel employee's account, compromising non-sensitive environment variables. Vercel identified additional compromised accounts and urged customers to rotate credentials, enable multi-factor authentication, and audit activity logs. The threat actor, ShinyHunters, claimed responsibility and attempted to sell stolen data.
2026-04-23 | TechCrunch: Vercel says some of its customers’ data was stolen prior to its recent hack
Vercel reported that hackers accessed customer data prior to its recent breach, indicating a potentially broader security issue. The company found evidence of prior compromises in a small number of accounts, possibly due to social engineering or malware. The breach, linked to an employee downloading an app from Context AI, may have lasted longer than initially thought. Vercel CEO Guillermo Rauch noted that the attackers likely used infostealer malware to obtain sensitive tokens, leading to unauthorized access to customer credentials.
2026-04-23 | TechRadar: Vercel identifies more accounts 'with evidence of prior compromise' exposed during security incident
Vercel's breach investigation revealed more compromised accounts than initially reported, linked to a Context.ai account infected with Lumma Stealer malware. The attacker accessed Vercel environments via a compromised Google Workspace account. Vercel confirmed a larger number of affected customers and found some accounts compromised prior to this incident, likely due to social engineering or malware. A dark web actor attempted to sell stolen Vercel data, falsely claiming ties to ShinyHunters.
2026-04-23 | Cyberscoop: Vercel attack fallout expands to more customers and third-party systems
Vercel reported that the fallout from an attack on its internal systems has affected more customers than initially disclosed. The attack, originating from Context.ai, involved the theft of customer data, including environment variables. Vercel analyzed nearly a petabyte of logs, revealing malware distribution targeting OAuth tokens. An online persona, ShinyHunters, claimed responsibility and is attempting to sell the stolen data. Vercel has not specified the number of affected accounts or the exact data compromised.
Date: 2026-04-23 | Source: The Register
The UK's National Cyber Security Centre (NCSC) has endorsed passkeys as the default authentication method, advising consumers to abandon passwords. A report presented at the CYBERUK conference states passkeys are generally more secure than passwords and two-step verification. Major platforms like Google, eBay, and PayPal facilitate passkey adoption. Where passkeys aren't available, NCSC recommends using a password manager with unique passwords and 2SV. Passkeys enhance security by using cryptographic key pairs, making them resistant to phishing and easier to use.
2026-04-23 | Infosecurity Magazine: NCSC Backs Passkeys, Hailing a New Era of Sign-in
The UK’s National Cyber Security Centre (NCSC) endorses passkeys as the preferred login method, moving away from traditional passwords. This recommendation follows collaboration with the FIDO Alliance and successful implementation in the NHS. NCSC advises businesses to adopt single sign-on (SSO) and anticipates further guidance. The FIDO Alliance promotes standards like FIDO2 and WebAuthn for secure authentication. Google, Apple, and Microsoft have also integrated passkeys into their services, enhancing security against attacks.
2026-04-23 | TechRadar: UK security agency officially declares passkeys superior to passwords – passkeys should be the 'first choice' for authentication
The UK’s National Cyber Security Centre (NCSC) has endorsed passkeys as a superior alternative to traditional passwords, recommending them as the first choice for authentication. Passkeys utilize device-stored cryptographic keys, often unlocked with biometrics, and are deemed more secure than strong passwords with two-step verification. The NCSC's announcement highlights that over 50% of active Google services users in the UK have registered passkeys, reflecting growing industry adoption.
2026-04-23 | CSO Online: UK’s NCSC calls passkeys the default, says passwords are no longer fit for the purpose
The UK’s National Cyber Security Centre (NCSC) recommends passkeys as the default authentication method for businesses, stating they are more secure and user-friendly than passwords. In a recent blog post, the NCSC emphasized that passkeys should be the primary choice for consumers, declaring that passwords are no longer resilient enough for today’s security landscape.
2026-04-23 | CSO Online: Offer customers passkeys by default, UK’s NCSC tells enterprises
The UK’s National Cyber Security Centre (NCSC) recommends that businesses adopt passkeys as the default authentication method for consumers, highlighting their enhanced security and user-friendliness compared to traditional passwords. In a recent blog post, the NCSC stated that passkeys should be the primary choice for login, emphasizing that passwords have become insufficient for modern security needs.
2026-04-23 | DIGIT: NCSC Endorses Passkeys Over Passwords
The UK’s National Cyber Security Centre (NCSC) endorses passkeys over passwords, citing their superior security against phishing compared to traditional multifactor authentication (MFA). The NCSC's recommendation follows consultations with various stakeholders and research indicating that FIDO2 credentials, which include passkeys, are more secure against credential attacks. While concerns about synchronization risks exist, the NCSC emphasizes that passkeys provide stronger user protection and represent a significant opportunity to enhance cybersecurity.
Date: 2026-04-22 | Source: TechCrunch
Apple released a software update fixing a bug that allowed law enforcement to extract deleted messages from iPhones and iPads. The issue stemmed from notifications displaying message content being cached for up to a month, even after deletion. This vulnerability was highlighted when the FBI accessed deleted Signal messages using forensic tools. Signal's president urged Apple to rectify the problem, emphasizing that deleted message notifications should not persist in any database. The fix was backported to older iOS versions.
2026-04-23 | Cyber Security News: Apple Fixes Notification Privacy Flaw That Allowed FBI to Access Deleted Signal Messages
Apple released iOS 26.4.2 and iPadOS 26.4.2 on April 22, 2026, to address CVE-2026-28950, a critical vulnerability that allowed the FBI to access deleted Signal message notifications. The flaw was due to a logging issue where deleted notifications remained on devices. Signal praised Apple's swift response, noting the update prevents future retention of notifications and clears existing data. The update is applicable to various Apple devices, including iPhone 11 and later, and is available for download.
2026-04-23 | The Hacker News: Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages
Apple has released updates for iOS (26.4.2) and iPadOS (26.4.2, 18.7.8) to fix a Notification Services flaw (CVE-2026-28950) that retained deleted Signal notifications on devices. This vulnerability allowed forensic extraction of messages even after app deletion. Affected devices include iPhone 11 and later, various iPad models. Signal users are advised to adjust notification settings to enhance privacy. The fix ensures that previously stored notifications are deleted and future notifications from deleted apps are not preserved.
2026-04-23 | Malwarebytes Labs: Apple fixes iOS bug that kept deleted notifications, including chat previews
Apple has released updates for iOS (18.7.8) and iPadOS (26.4.2) to address a security vulnerability tracked as CVE-2026-28950. This issue allowed deleted notifications, including chat previews, to be retained on devices, potentially enabling law enforcement to recover them during forensic analysis. The update improves data redaction to prevent notifications marked for deletion from being unexpectedly retained. Users are advised to check for the latest software version and enable Automatic Updates.
2026-04-23 | Help Net Security: Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950)
Apple has released security updates to address CVE-2026-28950, a vulnerability in Notification Services that allowed deleted Signal message notifications to be retained on iPhones and iPads. This issue was highlighted after the FBI accessed a suspect's deleted Signal messages. Apple confirmed the flaw was in its notification storage, not in Signal itself. Users are advised to update their devices, which will automatically delete preserved notifications and prevent future retention. Signal also provided settings to enhance privacy.
2026-04-23 | Infosecurity Magazine: Apple Fixes iOS Notification Bug Exposing Deleted Messages
Apple released emergency updates for iOS 26.4.2 and iPadOS 26.4.2 to address CVE-2026-28950, a Notification Services flaw that allowed deleted alerts to remain stored, potentially exposing sensitive message content. The issue arose from a logging problem, and while Apple improved data redaction, it did not confirm exploitation details. Users are advised to set notification previews to "Name Only," install updates promptly, and review settings for sensitive apps to mitigate risks.
2026-04-23 | Security Affairs: iOS Flaw Let Deleted Notifications Linger, Apple Issues Fix
Apple addressed a vulnerability (CVE-2026-28950) in iOS and iPadOS that allowed deleted notifications, including messages from Signal, to persist on devices. This flaw was highlighted by a case where the FBI recovered incoming Signal messages from an iPhone even after the app was uninstalled. The issue affects various iPhone and iPad models. Updates (iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, iPadOS 18.7.8) ensure that stored notifications are deleted and future ones are not retained for deleted apps. Signal welcomed the fix.
Date: 2026-04-22 | Source: Wired
A North Korean hacking group, HexagonalRodent, utilized AI tools to enhance their cybercrime operations, stealing up to $12 million in cryptocurrency from over 2,000 victims. The group targeted crypto developers with fake job offers, infecting them with credential-stealing malware. Despite their lack of coding skills, AI tools enabled them to create malware and phishing websites. Security researcher Marcus Hutchins noted that the malware showed signs of AI generation, including emoji-laden code and English comments, indicating a less sophisticated approach.
2026-04-22 | Recorded Future: North Korean hackers siphon more than $12 million from crypto users in sprawling campaign
North Korean hackers, identified as the group HexagonalRodent, have stolen over $12 million from cryptocurrency users in early 2026 through malware attacks on personal devices. The operation targeted Web3 developers with fake job offers via LinkedIn, using malware like BeaverTail and InvisibleFerret to exfiltrate credentials from 26,584 wallets across 2,726 systems. The campaign involved 31 hackers across six teams and utilized generative AI for creating fake companies and job offers.
2026-04-23 | Help Net Security: With AI’s help, North Korean hackers stumbled into a near-undetectable attack
North Korean APT group HexagonalRodent utilizes AI tools like Cursor and ChatGPT to enhance their cyberattacks, targeting individual Web3 developers. They employ social engineering tactics, including fake job offers and malware-laden coding assessments, to infiltrate systems. Recent research indicates they exfiltrated 26,584 cryptocurrency wallets, potentially worth $12 million. Their stealthy operations leverage obfuscation techniques and programming languages like NodeJS and Python, making detection challenging.
2026-04-23 | Cyber Security News: AI-Assisted Lazarus Campaign Targets Developers With Backdoored Coding Challenges
A North Korean threat group, HexagonalRodent, is targeting developers with backdoored coding challenges through fake job offers. The campaign has exfiltrated 26,584 cryptocurrency wallets worth up to $12 million. Utilizing generative AI, the group embeds malware in coding assessments, exploiting VSCode's tasks.json feature for infection. The malware, including BeaverTail and OtterCookie, steals credentials and provides remote access. Developers are advised to review code from unknown sources, disable auto-execution in VSCode, and use hardware security tokens for wallets.
Date: 2026-04-22 | Source: The Hacker News
The Harvester threat actor has deployed a new Linux variant of its GoGra backdoor, targeting entities in South Asia. Utilizing the Microsoft Graph API for covert command-and-control, it bypasses traditional defenses. The malware employs social engineering to disguise ELF binaries as PDFs. Once activated, it checks an Outlook mailbox for commands, executing them and sending results back via email. This marks an expansion of Harvester's toolset beyond Windows, indicating ongoing development and targeting of diverse victims.
2026-04-23 | Security Affairs: Microsoft Graph API misused by new GoGra Linux malware for hidden communication
A new Linux variant of the GoGra backdoor, linked to the Harvester cyberespionage group, utilizes Microsoft Graph API and Outlook for stealthy payload delivery. This malware polls a specific mailbox for commands, executing them while erasing traces. Initial targets appear to be in South Asia, with evidence from India and Afghanistan. Both Linux and Windows versions share a similar codebase, indicating a cross-platform development effort, and use the same AES key for encryption.
2026-04-23 | Cyber Security News: Hackers Use Outlook Mailboxes to Hide Linux GoGra Backdoor Communications
A nation-state-linked group, Harvester APT, has developed a Linux version of its GoGra backdoor, using Microsoft Outlook mailboxes for covert command-and-control communications. This malware exploits the Microsoft Graph API, making detection difficult. Initial access was gained through social engineering, deploying malicious ELF binaries disguised as documents. Security recommendations include auditing autostart entries, monitoring OAuth2 token requests, and threat hunting for suspicious ELF binaries.
2026-04-23 | Hack Read: Harvester APT Expands Spying Operations with New GoGra Linux Malware
A nation-state-backed APT group, Harvester, has developed a new Linux backdoor called GoGra to spy on systems in India and Afghanistan. Active since June 2021, the group previously targeted Windows. GoGra employs social engineering tactics, disguising malicious files as trusted documents. It communicates via Microsoft services, using stolen Azure AD credentials for covert command-and-control. The malware checks Outlook for encrypted commands and sends results back, erasing evidence afterward.
Date: 2026-04-22 | Source: Infosecurity Magazine
The UK National Cyber Security Centre (NCSC) launched SilentGlass on April 22, a plug-and-play device designed to protect monitors from cyber-attacks by blocking malicious activity between HDMI or display port connections. Approved for high-threat environments, it has been deployed in government estates and is now available for global purchase. Developed in partnership with Goldilock Labs and Sony UK, SilentGlass addresses vulnerabilities in hardware interfaces, aiming for rapid adoption by risk-conscious organizations.
2026-04-23 | DIGIT: NCSC Launches SilentGlass Hardware to Stop Cyber-Attacks via Screens
The NCSC has launched SilentGlass, a plug-and-play device designed to protect video connections from cyber attacks, particularly in high-threat environments. Deployed on UK Government estates, it blocks unexpected or malicious activity between HDMI and Display Port connections. The device is available for commercial use, manufactured by Goldilock Labs in partnership with Sony UK. NCSC anticipates rapid global adoption, emphasizing the importance of securing physical connectivity in IT infrastructure.
2026-04-23 | The Register: If malware via monitor cables is a matter of national security, this might be the gadget for you
The NCSC has launched SilentGlass, a device designed to protect display devices from cyberattacks via HDMI and DisplayPort connections. Developed in partnership with Goldilock Labs, it identifies and blocks malicious traffic, addressing potential threats to sensitive data in high-risk environments. While the real-world application of such attacks is debated, the NCSC emphasizes the importance of securing external monitors against espionage. SilentGlass is now available for purchase, with separate versions for HDMI and DisplayPort.
2026-04-23 | Help Net Security: If cyber espionage via HDMI worries you, NCSC built a device to stop it
The National Cyber Security Centre (NCSC) has developed SilentGlass, a device to protect HDMI and DisplayPort connections from cyberattacks. Monitors are vulnerable as they can store sensitive data, making them targets for espionage. SilentGlass is designed for ease of use and is already deployed in government systems, approved for high-threat environments, and available for commercial purchase. Manufactured by Goldilock in partnership with Sony UK Technology Centre, it addresses security gaps in hardware interfaces.
Date: 2026-04-22 | Source: Cyber Security News
A supply chain threat has emerged in the npm ecosystem involving compromised Namastex.ai packages delivering CanisterWorm malware, a self-propagating backdoor linked to TeamPCP. Attackers exploited npm publishing tokens to replace legitimate package code with malicious versions, making detection difficult. The malware collects sensitive data and spreads by querying npm registries. Affected teams should rotate credentials, audit package histories, and enable install-time script analysis to mitigate risks.
2026-04-22 | The Register: Another npm supply chain worm is tearing through dev environments
A new npm supply chain attack has emerged, targeting developer environments through compromised packages linked to Namastex Labs. The malware, resembling the CanisterWorm strain, affects versions of several packages, including @automagik/genie and pgserve. It steals sensitive data like tokens and credentials, exfiltrating it via webhooks and an ICP canister. The attack employs self-propagation techniques to compromise additional packages and can also target PyPI credentials for further exploitation.
2026-04-23 | CSO Online: Malicious pgserve, automagik developer tools found in npm registry
Malicious versions of pgserve and automagik have been discovered in the npm JavaScript registry, posing significant risks to application developers. Downloading these versions can result in the theft of sensitive data, including tokens, SSH keys, and credentials for AWS, Azure, and GCP, as well as crypto coins and browser passwords. The malware can also propagate to other connected devices. Security researchers issued warnings this week regarding these threats.
2026-04-24 | Infosecurity Magazine: Npm Supply Chain Malware Attack Targets Developers With Worm-Like Propagation
Malicious npm packages have been found distributing malware that steals credentials and spreads within developer ecosystems. Research from Socket indicates that affected packages, including @automagik/genie and pgserve, execute during installation to harvest sensitive data like cloud credentials and SSH keys. The malware can self-propagate by injecting malicious code into accessible packages and may compromise legitimate projects. The situation is evolving, with new malicious versions emerging.
Date: 2026-04-22 | Source: TechRadar
The French government agency ANTS confirmed a data breach involving the theft of 19 million records, including names, contact details, birthdays, and addresses. The breach was detected on April 15, 2026, after a hacker offered the stolen data for sale on the dark web. ANTS stated that no user action is required but warned of potential phishing risks. An investigation is ongoing with law enforcement and cybersecurity experts, and affected users have been notified.
2026-04-22 | Security Magazine: Hackers Claim 19M Records Stolen From French Government Agency
On April 15, the French government agency ANTS reported a security incident potentially compromising citizen data, including login IDs, names, email addresses, dates of birth, unique account identifiers, postal addresses, places of birth, and phone numbers. The agency is notifying affected individuals and advises vigilance against suspicious communications. A threat actor named ‘breach3d’ claimed responsibility, asserting that 19 million records were stolen, though this claim remains unverified.
2026-04-22 | Help Net Security: Cyberattack on French government agency triggers phishing alert
France Titres, a French government agency, reported a data breach detected on April 15, potentially exposing user data from its online portal. Affected data may include login ID, name, email, date of birth, and unique account identifiers. ANTS has notified impacted individuals and advised caution against phishing attempts. The agency has informed CNIL, the Paris public prosecutor, and ANSSI, and has implemented additional security measures. The sale or distribution of the exposed data is illegal.
2026-04-22 | TechCrunch: France confirms data breach at government agency that manages citizens’ IDs
The French government agency Agence Nationale des Titres Sécurisés (ANTS) confirmed a data breach affecting citizens' identity documents, including national IDs and passports. The breach, detected on April 15, may involve full names, birth dates, addresses, and phone numbers of an undisclosed number of citizens. Reports suggest millions could be affected, with a hacker claiming to possess a database of 19 million records. ANTS is investigating the breach and notifying affected individuals.
Date: 2026-04-22 | Source: Security Affairs
Lotus Wiper targeted Venezuela's energy sector, employing batch scripts to disable defenses before erasing all data. The attack, identified by Kaspersky, involved scripts that prepared systems for destruction, disabled user accounts, and isolated machines. The wiper permanently deleted files and recovery tools, rendering systems unusable. No ransom was demanded, indicating a purely destructive intent. Recommendations include auditing permissions, monitoring for unauthorized changes, and ensuring robust backup and recovery plans.
2026-04-22 | The Hacker News: Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Cybersecurity researchers identified Lotus Wiper, a new malware targeting Venezuela's energy sector, used in attacks from late 2025 to early 2026. It employs batch scripts to disable system defenses and execute a destructive payload, erasing recovery mechanisms and files. The wiper is not financially motivated, and its deployment coincided with increased malware activity in the region. Organizations are advised to monitor for NETLOGON share changes and suspicious use of Windows utilities like fsutil and robocopy.
2026-04-22 | Cyber Security News: Hackers Use Lotus Wiper to Destroy Drives and Delete Files in Energy Sector Attack
A newly identified malware, Lotus Wiper, has targeted the energy sector in Venezuela, permanently destroying data and wiping drives without financial motives. Discovered in late 2025, it uses batch scripts to disable security measures and execute its payload, which erases recovery mechanisms and overwrites drives. The attack is believed to be geopolitically motivated. Recommendations for organizations include auditing permissions, monitoring file activity, and securing backup systems to mitigate risks.
2026-04-22 | Recorded Future: Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector
Hackers targeted Venezuela’s energy sector with a new wiper malware called Lotus Wiper, designed to erase data and render systems irretrievable. Kaspersky reported that the malware specifically targeted older Windows versions, indicating prior knowledge of the networks. The operation was likely prepared for months, with the malware compiled in September 2025. The attacks coincided with geopolitical tensions, but no organizations were named. There is no evidence linking Lotus Wiper to a previous PDVSA cyberattack.
Date: 2026-04-22 | Source: Cyber Security News
Microsoft released an emergency out-of-band update for .NET 10, version 10.0.7, on April 21, 2026, to address CVE-2026-40372, a critical elevation of privilege vulnerability in the Microsoft.AspNetCore.DataProtection package. This flaw affects versions 10.0.0 through 10.0.6, allowing attackers to bypass integrity validation. Microsoft urges immediate updates to mitigate risks of privilege escalation. Updated SDKs and container images are available, and developers should verify installations and enable automatic update notifications.
2026-04-22 | The Hacker News: Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
Microsoft released out-of-band updates for a critical vulnerability in ASP.NET Core, tracked as CVE-2026-40372, with a CVSS score of 9.1. The flaw allows unauthorized privilege escalation due to improper cryptographic signature verification. Exploitation requires the use of Microsoft.AspNetCore.DataProtection 10.0.6 on non-Windows OS. The issue has been fixed in version 10.0.7. Attackers could forge payloads to authenticate as privileged users, potentially issuing valid tokens unless the DataProtection key ring is rotated.
2026-04-22 | Security Affairs: Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw
Microsoft released out-of-band updates to address a critical ASP.NET Core vulnerability, CVE-2026-40372 (CVSS score 9.1), allowing privilege escalation to SYSTEM-level. The flaw affects versions 10.0.0–10.0.6, where improper HMAC validation could let attackers forge or decrypt protected data. Exploitation requires specific conditions, and while attacks in the wild are currently unlikely, old tokens may remain valid post-update unless the key ring is rotated.
2026-04-22 | CSO Online: Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core
Microsoft released an out-of-band patch addressing a critical security flaw in ASP.NET Core's Data Protection Library, introduced in a recent update. This vulnerability, rated CVSS 9.1 and identified as CVE-2026-40372, affects applications on Linux, macOS, and Windows systems that use the UseCustomCryptographicAlgorithms API. Developers are urged to review their applications for potential impacts due to this regression.
2026-04-22 | Ars Technica: Microsoft issues emergency update for macOS and Linux ASP.NET threat
Microsoft released an emergency patch for ASP.NET Core to address a high-severity vulnerability (CVE-2026-40372) affecting versions 10.0.0 to 10.0.6. This flaw allows unauthenticated attackers to gain SYSTEM privileges by exploiting faulty cryptographic signature verification. Even after patching to version 10.0.7, previously forged credentials may remain valid unless the DataProtection key ring is rotated. The vulnerability impacts devices running Linux or macOS apps using the framework.
Date: 2026-04-21 | Source: The Register
UK National Cyber Security Centre CEO Richard Horne highlighted the increasing sophistication of state-sponsored cyberattacks, particularly from China, during his speech at CYBERUK 2026. He noted the UK faces an average of four significant cyberattacks weekly from state-linked threats. Horne emphasized the need for organizations to embed cybersecurity into their core missions and prepare for potential conflicts, advocating for a cultural shift towards resilience and the responsible use of AI in defense against cyber threats.
2026-04-22 | ABC News: Most serious cyberattacks against UK now from Russia, Iran and China
The U.K.'s National Cyber Security Centre (NCSC) chief Richard Horne warns that Russia, Iran, and China are responsible for the most serious cyberattacks against the U.K. He highlights the need for British businesses to bolster defenses amid escalating geopolitical tensions. The NCSC manages about four significant cyber incidents weekly, with state-sponsored threats surpassing criminal activities like ransomware. Horne emphasizes the urgency for organizations to understand risks and enhance cybersecurity measures before potential large-scale attacks occur.
2026-04-22 | Infosecurity Magazine: UK Faces a Cyber ‘Perfect Storm’ Driven by Tech Advances and Nation State Threats, NCSC Warns
The UK is facing a cybersecurity "perfect storm" due to geopolitical tensions and rapid technological advancements, according to Richard Horne of the NCSC. The NCSC reported 204 significant cyber incidents, with nation-state threats, particularly from Russia, China, and Iran, being the most serious. Ransomware remains prevalent. Organizations are urged to improve preparedness and adopt a resilience mindset. AI advancements are increasing the risk of zero-day attacks, necessitating basic cybersecurity hygiene and monitoring.
2026-04-22 | DIGIT: UK Faces “Perfect Storm” For Cybersecurity, NCSC Chief Warns
The UK is facing a "perfect storm" for cybersecurity, according to Dr. Richard Horne, CEO of the National Cyber Security Centre, due to rapid technological changes and geopolitical tensions. He emphasizes the need for a cultural shift in organizations, stating that cybersecurity is everyone's responsibility. The NCSC reports a steady number of incidents, primarily from nation-state actors. Dr. Horne warns that AI advancements could exploit vulnerabilities, urging immediate action to enhance cyber resilience across sectors.
2026-04-22 | Recorded Future: UK cyber agency handling four major incidents a week as nation-state attacks surge
Britain's cybersecurity chief reported that the UK is managing four significant cyber incidents weekly, primarily from nation-states like China, Russia, and Iran. A £90 million investment aims to enhance digital defenses. The NCSC warned of Russia compromising routers to intercept data and Iran targeting individuals in the UK. AI is reshaping threats, with models like Anthropic's Mythos autonomously identifying vulnerabilities. Officials stress the need for improved cybersecurity practices and collaboration with AI firms for national defense capabilities.
Date: 2026-04-21 | Source: Cyberscoop
Lawmakers are considering harsher penalties for ransomware attacks on hospitals, potentially classifying them as terrorism or pursuing homicide charges for resulting deaths. At a House Homeland Security Committee hearing, former FBI official Cynthia Kaiser highlighted the rise in attacks on healthcare, with incidents doubling from 238 in 2024 to 460 in 2025. A University of Minnesota study linked such attacks to patient deaths. The proposals align with recent legislative efforts to address cybercrime more aggressively.
2026-04-21 | The Register: Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide
Former FBI cyber division chief Cynthia Kaiser urged the US Justice Department to consider felony homicide charges against ransomware actors whose attacks on healthcare facilities result in patient deaths. She highlighted a study linking at least 47 deaths to such attacks from 2016 to 2021. Kaiser also called for increased funding for cybersecurity programs and criticized cuts to CISA, which has lost significant resources and personnel, undermining efforts to combat ransomware effectively.
2026-04-22 | Risky.Biz: Risky Bulletin: Former FBI official calls for terrorism designations for ransomware groups that target hospitals and critical infrastructure
A former FBI official has called for Congress to designate ransomware groups targeting hospitals and critical infrastructure as terrorist organizations, citing a study showing a 20% increase in hospital mortality rates during such attacks. Cynthia Kaiser emphasized the need for broader legal tools against these groups. The article also reports on various cyber incidents, including a breach at Vercel linked to Context.ai and a data breach at France's ANTS agency affecting 12.7 million records.
2026-04-22 | TechRadar: 'Felony murder law does not require that a defendant pull the trigger': Ex-FBI chief calls for ransomware attackers to face homicide charges if attacks lead to deaths
Cynthia Kaiser, former deputy assistant director of the FBI's cyber division, urged the DOJ to charge ransomware attackers with felony murder if their actions lead to patient deaths. Research from the University of Minnesota links at least 47 deaths to hospital ransomware attacks from 2016 to 2021, with incidents nearly doubling from 238 in 2024 to 460 in 2025. Kaiser also suggested exploring terrorism designations for groups targeting hospitals, which could enable sanctions and broader consequences.
Date: 2026-04-21 | Source: Wired
Mozilla's Firefox 150 release includes protections for 271 vulnerabilities identified using Anthropic's Mythos Preview. The Firefox team emphasizes the necessity of adapting to AI tools for enhanced security, as these capabilities will soon be accessible to attackers. Bobby Holley, Firefox's CTO, notes that AI will necessitate a comprehensive review of software to uncover latent vulnerabilities. Mozilla collaborated with Anthropic for access to Mythos Preview, highlighting the potential impact on open-source projects and "abandonware.
2026-04-22 | The Register: Mythos found 271 Firefox flaws – but none a human couldn’t spot
Mozilla tested Anthropic’s Mythos AI model on Firefox, uncovering 271 vulnerabilities in version 150 and 22 in version 148. CTO Bobby Holley expressed concern over the high number of flaws but sees potential for improved security. He believes Mythos enhances bug detection beyond human capabilities, closing the gap between machine and human discoveries, which could shift the advantage from attackers to defenders. Holley asserts that all identified bugs could also be found by elite human researchers, emphasizing the finite nature of software defects.
2026-04-22 | Help Net Security: Claude Mythos finds 271 Firefox flaws, Mozilla believes it shifts security toward defenders
Mozilla tested the Claude Mythos AI model, uncovering 271 vulnerabilities in Firefox 150, leading to fixes for 22 security-sensitive bugs in Firefox 148. Firefox CTO Bobby Holley emphasized the challenge of managing such a high volume of vulnerabilities and the importance of making exploits costly for attackers. Mythos Preview, capable of identifying complex vulnerabilities, is not being released publicly due to misuse concerns. Anthropic initiated Project Glasswing for selective access to the model, but unauthorized access attempts were reported.
2026-04-22 | Cyber Security News: Claude Mythos AI Model Uncovers 271 Zero-Day Vulnerabilities in Firefox
Anthropic's Claude Mythos AI model has identified 271 zero-day vulnerabilities in Mozilla Firefox, leading to the most significant security update in the browser's history with the release of Firefox 150. This discovery follows a collaboration with Mozilla's security team since February 2026, which previously identified 22 vulnerabilities using Claude Opus 4.6. Mythos autonomously exploits vulnerabilities across major systems, revealing long-buried flaws in critical infrastructure, indicating a transformative shift in AI-driven cybersecurity defense.
2026-04-23 | CSO Online: Claude Mythos signals a new era in AI-driven security, finding 271 flaws in Firefox
The Claude Mythos Preview, released by Anthropic, identified 271 vulnerabilities in Firefox version 148, which have been addressed in the recent Firefox 150 update. This marks a significant advancement in AI's role in cybersecurity, demonstrating its capability to uncover flaws that may have been overlooked by human experts. David Shipley from Beauceron Security noted that while the AI's findings are substantial, they do not represent a new class of vulnerabilities exclusive to AI.
Date: 2026-04-21 | Source: Help Net Security
A campaign targeting Android users in Brazil has been identified, utilizing a trojanized version of the HandyPay app to distribute NGate NFC malware. Active since November 2025, it employs two distribution methods: a fake lottery website and a counterfeit Google Play page. The malware captures NFC card data and payment PINs, relaying them to an attacker-controlled server. ESET has notified Google and the HandyPay developer, who is investigating the incident.
2026-04-21 | The Hacker News: NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
Cybersecurity researchers have identified a new NGate malware campaign targeting Brazil, which exploits the HandyPay app to steal NFC data and payment card PINs. The malware allows attackers to relay payment card data for unauthorized ATM withdrawals. The campaign, active since November 2025, uses deceptive websites to distribute the trojanized app. HandyPay is conducting an internal investigation. The malware's code may have been generated using AI, indicating a trend in cybercriminals leveraging generative technologies for malware development.
2026-04-21 | Cyber Security News: New NGate Malware Developed Using AI Hides in NFC Payment Apps
A new variant of NGate malware, developed using AI, is found in a trojanized NFC payment app called HandyPay, targeting Android users in Brazil since November 2025. The malware, disguised as a legitimate app, steals payment card data and PINs via NFC without requiring special permissions. Distribution occurs through a fake lottery site and a fraudulent Google Play page. Users are advised to download apps only from official sources and enable Google Play Protect for added security.
2026-04-21 | Infosecurity Magazine: Trojanized Android App Fuels New Wave of NFC Fraud
A new variant of the NGate malware has been identified, utilizing a trojanized version of the HandyPay app to capture payment card data and PINs. Discovered by ESET on April 21, the malware targets users in Brazil and has been distributed since November 2025. It relays NFC data to attacker-controlled devices, enabling fraudulent transactions. The app requires minimal permissions, avoiding detection. Evidence suggests generative AI tools may have aided in its development. Google Play Protect detects known malware versions.
2026-04-22 | CSO Online: NFC tap-to-pay gets tapped by hackers
Cybercriminals are exploiting a trojanized Android payment app, HandyPay, to steal NFC data and PINs, facilitating payment card cloning and account draining. ESET researchers identified a new variant of the NGate malware embedded in the app, which transfers NFC data to attackers for contactless ATM withdrawals. The use of AI in this campaign is suspected, as indicated by AI-generated text emojis found in the logs.
Date: 2026-04-21 | Source: The Hacker News
CISA added eight vulnerabilities to its Known Exploited Vulnerabilities catalog, including critical flaws in Cisco Catalyst SD-WAN Manager and PaperCut NG/MF. Notable vulnerabilities include CVE-2025-32975 (CVSS 10.0) allowing user impersonation in Quest KACE SMA and CVE-2023-27351 (CVSS 8.2) enabling authentication bypass in PaperCut. Federal agencies must address Cisco vulnerabilities by April 23, 2026, and others by May 4, 2026, due to active exploitation risks.
2026-04-21 | Security Affairs: U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA added several vulnerabilities to its Known Exploited Vulnerabilities catalog, including CVE-2026-20133 (Cisco Catalyst), CVE-2023-27351 (PaperCut NG/MF), CVE-2024-27199 (JetBrains TeamCity), CVE-2025-32975 (Quest KACE SMA), and CVE-2025-48700 (Synacor ZCS). Many have been actively exploited, with recommendations for federal agencies to remediate by May 4, 2026, and specific deadlines for Cisco and ZCS by April 23, 2026. Rapid patching and monitoring are advised for all organizations.
2026-04-21 | Help Net Security: CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133)
CISA has added eight vulnerabilities to its Known Exploited Vulnerabilities catalog, including Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122, the latter two confirmed as actively exploited. Other vulnerabilities include CVE-2023-27351 (PaperCut NG/MF), CVE-2024-27199 (JetBrains TeamCity), CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE), and CVE-2025-48700 (Zimbra). Federal agencies must address these by April 20, 2026.
2026-04-21 | Cyber Security News: CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks
CISA has added three critical vulnerabilities in Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities catalog, urging immediate action. The vulnerabilities (CVE-2026-20133, CVE-2026-20122, CVE-2026-20128) allow remote attacks, unauthorized file uploads, and privilege escalation. Organizations must apply patches by April 23, 2026, and follow CISA's Emergency Directive 26-03. Active exploitation poses immediate risks, necessitating urgent attention from both federal and private sectors.
2026-04-21 | Cybersecurity Dive: CISA confirms exploitation of 3 more Cisco networking device vulnerabilities
CISA has confirmed the exploitation of three additional vulnerabilities in Cisco networking devices: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. These flaws have been added to the Known Exploited Vulnerabilities catalog due to ongoing malicious activity. CVE-2026-20122 allows overwriting system files, CVE-2026-20128 enables access to an unsecured password file, and CVE-2026-20133 permits viewing sensitive information without authentication. Federal agencies must patch these vulnerabilities by April 23.
2026-04-21 | The Register: More Cisco SD-WAN bugs battered in attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active attacks on three Cisco Catalyst SD-WAN Manager vulnerabilities, giving federal agencies a four-day deadline to patch them. The flaws include CVE-2026-20128 (information disclosure), CVE-2026-20133 (information disclosure), and CVE-2026-20122 (arbitrary file overwrite). Cisco patched these vulnerabilities in February, with active exploitation noted for CVE-2026-20128 and CVE-2026-20122. CVE-2026-20133 is not currently under active exploitation.
Date: 2026-04-20 | Source: Recorded Future
A theft of nearly $290 million in cryptocurrency from the Kelp platform has been attributed to North Korean hackers, specifically the TraderTraitor group. The attack exploited Kelp's reliance on a single Decentralized Verifier Network (DVN) from LayerZero, which LayerZero warned against. The hackers manipulated LayerZero's systems to create fictitious rsETH, using it as collateral to borrow real assets. A DDoS attack on backup systems further facilitated the theft. Law enforcement is involved in the ongoing investigation.
2026-04-20 | TechCrunch: North Korean hackers blamed for $290M crypto theft
Hackers stole over $290 million in cryptocurrency from Kelp DAO, marking the largest crypto theft of 2023. LayerZero accused North Korea's TraderTraitor group of executing the heist by exploiting Kelp DAO's LayerZero bridge and its inadequate security configuration, which lacked multiple transaction verifications. Kelp DAO disputed LayerZero's claims. North Korean hackers have been increasingly successful, stealing over $2 billion in crypto last year and approximately $6 billion since 2017.
2026-04-21 | Infosecurity Magazine: North Korea Blamed for $290m KelpDAO Crypto Heist
State-backed hackers, likely from North Korea's Lazarus Group, executed a sophisticated $290 million heist on KelpDAO, a decentralized finance protocol. The breach involved exploiting vulnerabilities in LayerZero's infrastructure, leading to a DDoS attack that facilitated a forged cross-chain message and unauthorized transfer of 116,500 rsETH. KelpDAO's single-point-of-failure configuration was criticized for not adhering to best practices. Approximately $71 million of the stolen funds has been frozen by Arbitrum's Security Council.
2026-04-21 | TechRadar: North Korea's Lazarus makes off with $290M crypto in Kelp DAO heist after siphoning funds using fraudulent transactions
North Korea's Lazarus Group stole $290 million in cryptocurrency from Kelp DAO by exploiting vulnerabilities in the LayerZero integration. The attackers compromised servers that verify cross-chain transactions, allowing them to create fraudulent transfers. LayerZero stated the incident was isolated to Kelp DAO's configuration, while Kelp DAO disputed this claim. This heist continues Lazarus's history of targeting Web3 projects to fund North Korea's state activities.
2026-04-21 | Security Affairs: North Korea’s Lazarus APT stole $290M from Kelp DAO
On April 18, 2026, North Korea's Lazarus APT stole $290M from Kelp DAO by exploiting vulnerabilities in LayerZero infrastructure. The attackers manipulated compromised nodes to drain 116,500 rsETH. Kelp DAO paused contracts and blocked wallets, preventing a second theft attempt of $95M. The incident revealed weaknesses in Kelp's single-verifier setup, which lacked redundancy. LayerZero emphasized the need for multi-verifier configurations to mitigate such risks. The breach significantly impacted the DeFi ecosystem, with Aave losing nearly $8B in value.
Date: 2026-04-20 | Source: US Department of Justice
A Florida man, Angelo Martino, pleaded guilty to conspiracy to deploy BlackCat ransomware and extort U.S. victims. From April to November 2023, he misused his role at a cyber incident response firm to assist BlackCat actors, providing confidential negotiation information that increased ransom amounts. Martino, along with accomplices, extorted approximately $1.2 million in Bitcoin. Law enforcement seized over $10 million in assets linked to the scheme. He faces up to 20 years in prison, with sentencing scheduled for July 9, 2024.
2026-04-21 | The Register: Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords
Angelo Martino, a former ransomware negotiator at DigitalMint, pleaded guilty to aiding the ALPHV/BlackCat ransomware gang in extorting five US companies. He provided confidential information to maximize ransom payments, benefiting financially from the scheme. The companies included a hospitality firm that paid $16.48 million and a nonprofit that paid nearly $26.8 million. Martino, along with two co-conspirators, also deployed ransomware, demanding over $16 million in total. His sentencing is set for July.
2026-04-21 | The Hacker News: Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023
Angelo Martino, a ransomware negotiator, pleaded guilty to aiding BlackCat ransomware attacks against U.S. companies in 2023. He provided confidential negotiation strategies and insurance details to the attackers, maximizing ransom amounts. Martino, along with two accomplices, extorted victims, including one for $1.2 million in Bitcoin. Authorities seized $10 million in assets from him. He faces up to 20 years in prison, with sentencing scheduled for July 9, 2026.
2026-04-21 | Help Net Security: Ransomware negotiator admits role in attacks he was hired to resolve
Angelo Martino, a former ransomware negotiator at DigitalMint, pleaded guilty to conspiring in ransomware attacks against US companies. He provided the BlackCat/ALPHV group with confidential client information, aiding their extortion efforts, including a $1.2 million Bitcoin payment from one victim. Martino faces a maximum of 20 years in prison, with sentencing set for July 9. Co-conspirators Kevin Martin and Ryan Goldberg also pleaded guilty and are scheduled for sentencing on April 30, 2025.
2026-04-21 | TechCrunch: Ransomware negotiator pleads guilty to helping ransomware gang
Angelo Martino, a former ransomware negotiator at DigitalMint, pleaded guilty to aiding the ALPHV/BlackCat ransomware gang by sharing confidential information about victims, including insurance policy limits and negotiation strategies. He faces up to 20 years in prison and has had $10 million in assets seized. Martino, along with two other former employees, reportedly generated over $1.2 million from a single victim in 2023. Authorities previously disrupted ALPHV's operations and released a decryption tool for over 500 victims.
2026-04-21 | Security Affairs: Ransomware negotiator caught secretly assisting BlackCat extortion scheme
Angelo Martino, a ransomware negotiator, pleaded guilty to aiding the BlackCat ransomware group while employed at a U.S. incident response firm. From April to November 2023, he shared sensitive client information with the attackers, helping them extort victims, including one who paid $1.2M in Bitcoin. Martino faces up to 20 years in prison, with sentencing set for July 9, 2026. Co-conspirators Ryan Goldberg and Kevin Martin also pleaded guilty and are scheduled for sentencing on April 30, 2026.
2026-04-21 | Cyberscoop: Former DigitalMint ransomware negotiator pleads guilty to extortion scheme
Angelo John Martino III, a former ransomware negotiator for DigitalMint, pleaded guilty to conspiring with ransomware affiliates to extort payments from U.S. companies he represented. He exploited confidential information to maximize ransom payments, aiding in a total of $75.3 million in extorted ransoms. Martino's actions included collaborating with other former DigitalMint employees to deploy BlackCat ransomware. He faces up to 20 years in prison, with sentencing set for July 9. Authorities seized $10 million in assets linked to him.
2026-04-22 | Infosecurity Magazine: Former Ransomware Negotiator Pleads Guilty to Working For BlackCat Cyber Gang
Angelo Martino, a former ransomware negotiator, pleaded guilty to conspiring with the BlackCat ransomware group to attack multiple US victims. He admitted to providing sensitive information to maximize ransom profits while working for five corporate victims. Martino, along with accomplices, deployed ransomware from April to November 2023, generating significant revenue. Authorities seized $10 million in assets from him. He faces a maximum of 20 years in prison, with sentencing set for July 9.
2026-04-22 | TechRadar: Ransomware negotiator recruited by BlackCat ransomware gang pleads guilty to 2023 attacks, faces 20 years in prison
Angelo Martino, a ransomware negotiator from Florida, pleaded guilty to aiding the BlackCat ransomware gang in 2023. He shared confidential client information, which helped maximize ransom demands, and conspired to deploy ransomware against multiple victims. Martino laundered over $1 million in Bitcoin and faces up to 20 years in prison, with sentencing set for July 9, 2026. Two accomplices also pleaded guilty, with sentencing expected soon. The DOJ has seized $10 million in assets linked to Martino.
Date: 2026-04-20 | Source: Recorded Future
Tyler Robert Buchanan, a 24-year-old British hacker, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft in a U.S. federal court, linked to the Scattered Spider cybercrime campaign that stole at least $8 million in cryptocurrency. The group executed phishing attacks, including SMS phishing, targeting companies like MGM Resorts, Coinbase, and Twilio. Buchanan faces up to 22 years in prison, with sentencing scheduled later this year.
2026-04-20 | Hack Read: British Hacker Tyler Buchanan Pleads Guilty to $8M Hacking Scheme in US
Tyler Robert Buchanan, a 24-year-old British hacker, pleaded guilty to a hacking scheme that generated at least $8 million by targeting U.S. companies from September 2021 to April 2023. He exploited compromised employee credentials and SMS phishing to access sensitive corporate networks, stealing data and crypto assets. Buchanan, linked to the hacking group Scattered Spider, was extradited from Spain and faces up to 22 years in prison. His sentencing is scheduled for August 21, 2026.
2026-04-20 | The Register: Scot becomes second Scattered Spider-linked crook to plead guilty in US
Tyler Robert Buchanan, a 24-year-old from Scotland, pleaded guilty in California to conspiracy to commit wire fraud and aggravated identity theft, linked to a phishing and SIM-swap scheme that stole over $8 million in cryptocurrency. Arrested in June 2024, he admitted to defrauding at least a dozen US companies and individuals between September 2021 and April 2023. Buchanan's sentencing is scheduled for August 21, 2026. He was part of the Scattered Spider cybercrime group, known for sophisticated attacks.
2026-04-20 | Security Affairs: Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft
Tyler Buchanan, a member of the Scattered Spider group, pleaded guilty in a U.S. court to hacking and stealing over $8 million in cryptocurrency through SMS phishing attacks targeting multiple companies. Arrested in Spain, he admitted to conspiring to commit wire fraud and aggravated identity theft. His group used phishing kits to capture credentials, conducted SIM swap attacks, and accessed sensitive data from corporate breaches. Sentencing is scheduled for August 21, with a maximum of 22 years in prison.
2026-04-21 | Cyber Security News: British National Admits Hacking Companies and Stealing Millions in Virtual Currency
A British man, Tyler Robert Buchanan, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft in a cybercrime scheme that stole over $1 million in virtual currency. Between September and April, he and co-conspirators used SMS phishing and SIM swapping to target companies and individuals, capturing sensitive information and accessing accounts. Investigators found evidence of the crimes at Buchanan's residence. Sentencing is scheduled for August, with a maximum prison sentence pending.
2026-04-21 | DIGIT: Scottish Hacker Pleads Guilty to US Cyber Heists
Tyler Robert Buchanan, a 24-year-old from Dundee, pleaded guilty to conspiring to hack at least a dozen US companies via SMS phishing, stealing $8 million in virtual currency. He and his group, linked to the Scattered Spider syndicate, sent phishing messages to employees, capturing credentials through spoofed websites. The DOJ noted they accessed sensitive information and defrauded multiple companies. Buchanan faces 22 years in prison at sentencing in August. Three co-defendants remain charged.
2026-04-21 | Help Net Security: Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency
Tyler Robert Buchanan, a 24-year-old British national linked to the Scattered Spider cybercrime group, pleaded guilty to stealing over $8 million in cryptocurrency through SMS phishing. Between September 2021 and April 2023, he and co-conspirators targeted various companies, using phishing texts to obtain employee credentials. Buchanan faces up to 22 years in prison. Other group members have also been charged, with one serving a 10-year sentence and ordered to pay $13 million in restitution.
2026-04-21 | Krebs on Security: ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty
Tyler Robert Buchanan, a 24-year-old member of the cybercrime group "Scattered Spider," pleaded guilty to wire fraud conspiracy and aggravated identity theft. He admitted to participating in SMS phishing attacks in 2022 that targeted companies like Twilio and LastPass, stealing over $8 million in cryptocurrency. Buchanan was arrested in June 2024 and faces a maximum of 22 years in prison, with sentencing set for August 21, 2026. Other group members face ongoing charges, and investigations link them to a broader cybercriminal community.
2026-04-21 | Cyberscoop: Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety
Tyler Robert Buchanan, a 24-year-old from Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft, linked to a series of phishing attacks and cryptocurrency thefts from September 2021 to April 2023. He faces up to 22 years in prison, with sentencing set for August 21. Buchanan and his group, Scattered Spider, stole over $8 million from U.S. victims, including high-profile individuals and businesses. His arrest in Spain followed a federal investigation into their cybercrimes.
Date: 2026-04-20 | Source: Cyber Security News
Vercel confirmed a data breach on April 18-19, 2026, after hackers accessed internal systems via a compromised Google Workspace OAuth app linked to Context.ai. The attackers, claiming to be ShinyHunters, offered stolen data for $2 million, including employee records and access keys. Vercel is investigating with Mandiant and advises customers to rotate potentially exposed API keys and tokens. No sensitive environment variables were accessed, and all services remain operational.
2026-04-20 | The Hacker News: Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
Vercel disclosed a breach linked to the compromise of Context.ai, allowing unauthorized access to certain internal systems. An attacker took over an employee's Google Workspace account, accessing some environment variables not marked as sensitive. A limited subset of customer credentials was compromised, prompting Vercel to advise immediate credential rotation. The company is collaborating with cybersecurity firms and law enforcement to investigate. Best practices for security have been recommended, including auditing environment variables and reviewing activity logs.
2026-04-20 | The Register: Next.js developer Vercel warns of customer credential compromise
On April 19, Vercel reported a security incident involving unauthorized access to internal systems, leading to the compromise of customer credentials linked to Context.ai, a third-party AI tool. Vercel advised affected customers to rotate their credentials and is investigating potential data exfiltration. Context.ai acknowledged a prior incident involving unauthorized access to its AWS environment and noted that OAuth tokens for some users were likely compromised. Both companies faced criticism for inadequate security measures.
2026-04-20 | Security Affairs: Third-party AI hack triggers Vercel breach, internal environments accessed
Vercel experienced a security breach due to a compromised third-party AI tool, Context.ai, used by an employee. The attacker accessed the employee's Google Workspace account, allowing limited access to Vercel's internal systems and non-sensitive data. Vercel is collaborating with Mandiant and law enforcement to investigate. Users are advised to check account activity, rotate exposed secrets, and enhance security measures. A suspicious OAuth app ID linked to the breach has been identified for removal.
2026-04-20 | TechRadar: 'We've identified a security incident': Vercel breach confirmed after hackers claim stolen data for sale online
Vercel confirmed a cyberattack involving unauthorized access to internal systems via a compromised Context.ai account, leading to the exposure of non-sensitive environment data. The attacker accessed an employee's Google Workspace, potentially exfiltrating data. A dark web actor claims to be selling Vercel's source code and 580 employee records for $2 million, though the ShinyHunters group has distanced itself from the incident. Vercel has notified affected customers and recommended credential rotation.
2026-04-20 | CSO Online: Hackers exploit Vercel’s trust in AI integration
Hackers exploited a vulnerability in Vercel's trust in a third-party AI application, Context.ai, leading to a data breach. An employee's Google Workspace account was compromised through OAuth, allowing attackers to access certain environment variables not marked as “sensitive.” Vercel stated that sensitive environment variables are protected and there is no evidence that these were accessed during the breach. The incident highlights risks associated with third-party integrations in cloud platforms.
2026-04-20 | The Hacker News: ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Vercel disclosed a data breach allowing unauthorized access to internal systems via a compromised third-party AI tool, Context.ai. The attacker took over an employee's Google Workspace account, accessing non-sensitive environment variables. Meanwhile, law enforcement disrupted a DDoS-for-hire operation, taking down 53 domains. New threats include the PowMix botnet targeting Czech workers and a campaign exploiting malformed APKs to distribute Android malware. Additionally, 108 malicious Chrome extensions were identified, stealing user data.
2026-04-20 | TechCrunch: App host Vercel says it was hacked and customer data stolen
Cloud app hosting company Vercel reported a breach where hackers accessed customer data by exploiting an OAuth connection through a downloaded app from Context AI. The attackers claimed to have stolen sensitive customer credentials and are selling them online. Vercel confirmed that its Next.js and Turbopack projects were unaffected and advised customers to rotate non-sensitive keys. The breach may impact hundreds of users across various organizations, highlighting risks in supply chain security. Context AI acknowledged a prior breach but did not disclose it initially.
2026-04-20 | Help Net Security: Vercel breached via compromised third-party AI tool
Vercel experienced a security breach due to a compromised third-party AI tool, Context.ai, which allowed attackers to access a Vercel employee's Google Workspace account. This led to unauthorized access to some internal systems and credentials of a limited number of customers. Affected customers were advised to rotate credentials, review account activity, and utilize sensitive environment variables. The breach is under investigation with assistance from Google Mandiant, and the attacking group has been linked to ShinyHunters.
2026-04-20 | Cybersecurity Dive: Vercel systems targeted after third-party tool compromised
Vercel's internal systems were accessed after a third-party tool, Context.ai, was compromised. An attacker took over a Vercel employee's Google Workspace account, accessing non-sensitive company environments. A limited number of customer credentials were compromised, prompting immediate rotation. Vercel is collaborating with Mandiant and law enforcement. Context reported a prior attack in March affecting its AWS environment, leading to OAuth token compromises. The incident underscores third-party risk management and AI-related permissions.
2026-04-20 | Security Magazine: Vercel Breach Originated From an Employee’s AI Tool
Vercel confirmed a data breach due to a third-party AI tool, Context.ai, used by an employee, allowing unauthorized access to internal systems. The breach affected a limited subset of customers, who have been notified. Sensitive environments showed no evidence of access. Vercel is collaborating with cybersecurity firms and law enforcement to assess the situation. Security experts emphasize the risks of using consumer AI tools with enterprise credentials and recommend stricter permissions and environment variable hygiene.
2026-04-20 | Wiz: Context.ai OAuth Token Compromise
On April 4, 2026, Vercel reported a security breach involving unauthorized access through a compromised Google Workspace account linked to the Context.ai OAuth application. The attacker exploited OAuth tokens with broad permissions, potentially due to an infostealer infection at Context.ai. Security teams are advised to revoke access to the compromised application, rotate credentials, and investigate account activity. The incident highlights risks associated with third-party OAuth integrations, necessitating thorough audits and enhanced security measures.
2026-04-20 | Cyberscoop: Vercel’s security breach started with malware disguised as Roblox cheats
Vercel experienced a security breach after an attacker exploited malware disguised as Roblox cheats, initially infecting a Context.ai employee's computer. This led to unauthorized access to Vercel's Google Workspace account and sensitive environments. Vercel advised affected customers to rotate credentials. The threat group ShinyHunters claimed responsibility and is attempting to sell stolen data, including access keys and source code. Investigations by Vercel and Context.ai, supported by CrowdStrike and Mandiant, are ongoing.
2026-04-20 | Hack Read: Vercel Breach Linked to Context.ai, ShinyHunters Says It’s Not Involved
On April 19, 2026, Vercel confirmed a security incident linked to a compromise at third-party Context.ai, where attackers accessed a Context.ai employee's Google Workspace account. This allowed them to exploit OAuth permissions to reach Vercel's systems, accessing employee information and internal logs, but not sensitive data. ShinyHunters, claiming responsibility, was denied by the real group, which stated the BreachForums domain was fake. Vercel is investigating and has engaged incident response teams for mitigation.
2026-04-21 | Infosecurity Magazine: Vercel Confirms Cyber Incident After Sophisticated Attacker Exploits Third‑Party Tool
Vercel confirmed a cyber incident involving unauthorized access to internal data due to an employee's use of the third-party tool Context.ai. The attacker compromised the employee's Google Workspace account, gaining access to non-sensitive environment variables. Vercel stated that no npm packages were affected. A threat actor claiming to be from ShinyHunters is attempting to extort $2 million. Vercel advises customers to enable MFA, review exposed variables, and monitor for suspicious activity.
2026-04-21 | The Register: AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account
Vercel experienced a breach initiated by a compromised employee account linked to Context.ai, allowing attackers to hijack the employee's Google Workspace account. The attackers exploited OAuth abuse and accessed non-sensitive environment variables. Vercel's CEO suspects AI-assisted tactics were used due to the attackers' speed and sophistication. Affected customers are limited, and Vercel advises credential rotation and monitoring access logs. Stolen data is reportedly being sold for $2 million on BreachForums.
2026-04-21 | Recorded Future: Cloud platform Vercel says company breached through third-party AI tool
A cyberattack on Vercel, a cloud platform, was traced to a third-party AI tool, Context.ai, used by an employee. The breach compromised employee accounts and internal databases, prompting Vercel to notify affected customers to rotate their credentials. The attacker gained access through a compromised Google Workspace account, but sensitive environment variables remain secure. Context.ai revealed that OAuth tokens for some users were also compromised. The hackers demanded a $2 million ransom, and Vercel is investigating further.
2026-04-21 | Security Magazine: Security Leaders Discuss the Vercel Breach
The Vercel data breach involved a compromised third-party AI tool that allowed unauthorized access to internal systems via OAuth credentials. The breach was characterized as an identity-centric supply chain exposure rather than a full-scale supply chain attack. Security experts emphasized the need for organizations to audit OAuth app grants, review permissions, and implement continuous monitoring to mitigate risks associated with third-party integrations. The incident highlights the growing vulnerability of OAuth 2.0 trust relationships in modern security landscapes.
Date: 2026-04-18 | Source: Microsoft Security
Threat actors are exploiting Microsoft Teams for cross-tenant impersonation, posing as IT support to socially engineer users into granting remote desktop access. This access enables credential-backed lateral movement using WinRM, targeting high-value assets like domain controllers. Attackers utilize trusted applications for malicious code execution and data exfiltration via tools like Rclone. Recommendations include user education, enforcing MFA, and restricting administrative protocols to mitigate these risks.
2026-04-20 | CSO Online: Attackers abuse Microsoft Teams to impersonate the IT helpdesk in a new enterprise intrusion playbook
Attackers are exploiting Microsoft Teams by impersonating IT helpdesk staff to gain initial access to enterprises. This "cross-tenant helpdesk impersonation" technique involves initiating conversations through Teams' external access feature. Microsoft highlights that social engineering is used to persuade employees to grant remote control, allowing attackers to operate within trusted channels and circumvent traditional phishing defenses.
2026-04-20 | Cyber Security News: Attackers Abuse Microsoft Teams and Quick Assist in New Helpdesk Impersonation Attack Chain
A new attack campaign involves threat actors impersonating IT helpdesk staff via Microsoft Teams, tricking employees into granting remote access through Quick Assist. The attackers, operating from a separate Microsoft tenant, exploit user trust in familiar tools, bypassing security defenses. Once access is gained, they conduct reconnaissance and deploy malicious payloads using DLL side-loading. Recommendations include verifying unsolicited Teams contacts, restricting remote tools, and enabling security measures like MFA and ASR rules.
2026-04-21 | TechRadar: Microsoft issues warning over Teams helpdesk impersonation attacks – hackers are 'blending into routine IT support activity' by abusing remote assistance access
Microsoft has issued a warning regarding Teams users being targeted by scammers impersonating IT staff. Attackers exploit the cross-tenant chat feature to initiate contact and convince victims to grant remote access via Quick Assist. Once inside, they use legitimate tools to move laterally within the network, install Rclone, and exfiltrate sensitive data. This method blends into routine IT activities, making it difficult for victims and actual IT teams to detect the intrusion.
Date: 2026-04-17 | Source: Security Affairs
Kyrgyzstan-based crypto exchange Grinex has ceased operations following a $13.7 million cyber heist, which it attributes to Western intelligence agencies. The attack targeted Russian users, with over 1 billion rubles stolen from their wallets. Grinex reported the incident to law enforcement and indicated the attack aimed to undermine Russia's financial sovereignty. Blockchain security firm Elliptic noted that hackers moved approximately $15 million in USDT to other wallets and converted it to TRX or ETH to evade freezing by Tether.
2026-04-17 | Chainalysis: Sanctioned Russia-Linked Exchange Grinex Suspends Operations Following Alleged Cyberattack
Grinex, a Russia-linked cryptocurrency exchange, suspended operations following a claimed cyberattack resulting in a loss of 1 billion rubles ($13.7 million). The exchange accused foreign intelligence services of orchestrating the attack. On-chain data revealed that exfiltrated funds were quickly swapped for Tron (TRX) using a decentralized exchange, raising questions about the legitimacy of Grinex's claims. The incident highlights potential motives for an inside job or false flag operation amid ongoing sanctions.
2026-04-17 | Ars Technica: US-sanctioned currency exchange says $15 million heist done by "unfriendly states"
Grinex, a US-sanctioned cryptocurrency exchange in Kyrgyzstan, has halted operations following a $15 million heist attributed to "western special services" hackers. TRM confirmed the theft, identifying 70 drained addresses. Grinex reported ongoing attacks since its inception 16 months ago, with the latest targeting Russian users. The exchange claims the attack aimed to damage Russia's financial sovereignty and has reported the incident to law enforcement. TokenSpot, another exchange, was also breached, suggesting a coordinated attack.
2026-04-18 | The Hacker News: $13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims
Grinex, a sanctioned cryptocurrency exchange, suspended operations following a $13.74 million hack attributed to foreign intelligence agencies. The attack, occurring on April 15, 2026, resulted in the theft of over 1 billion rubles. Grinex, believed to be a rebrand of Garantex, has faced ongoing cyber threats since its inception. Blockchain analytics firms noted that stolen funds were quickly converted to non-freezable tokens, raising questions about the nature of the attack, whether it was a legitimate exploit or a false flag operation.
2026-04-20 | Infosecurity Magazine: Crypto Exchange Grinex Blames Western Spies for $13m Theft
Kyrgyzstan-based crypto exchange Grinex reported a cyber-attack resulting in the theft of approximately $13.2 million from Russian customers, blaming Western intelligence agencies. Grinex, linked to the sanctioned Garantex, claimed the attack aimed to undermine Russia's financial sovereignty. However, blockchain experts from Chainalysis expressed skepticism, suggesting the incident may be a false flag to cover an internal fund diversion, as the stolen funds were quickly converted to TRX using a decentralized exchange.
2026-04-21 | Hack Read: Grinex crypto exchange shuts down, blames Western agencies for $13.7M breach
On April 16, 2023, Kyrgyzstan-based crypto exchange Grinex suspended operations following a breach that resulted in the theft of approximately $13.7 million. Grinex attributed the attack to Western intelligence agencies, a claim disputed by Chainalysis, which suggested the incident might be an exit scam due to the movement of stolen funds through a decentralized exchange. Grinex, previously sanctioned, was a key player in facilitating transactions for the A7A5 token, designed to bypass financial restrictions.
Date: 2026-04-17 | Source: Hack Read
Cybersecurity researchers at Fortinet's FortiGuard Labs have identified a new Mirai variant, Nexcorium, targeting DVR devices, particularly TBK DVR-4104 and DVR-4216 models, exploiting CVE-2024-3721. This malware creates a botnet for DDoS attacks, using brute-force methods with hardcoded passwords. Nexcorium is persistent, replicating itself and setting up automatic tasks. Recommendations include changing default passwords and keeping software updated to mitigate risks associated with this high-level threat.
2026-04-18 | The Hacker News: Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting CVE-2024-3721, a command injection vulnerability (CVSS score: 6.3) in TBK DVRs, to deploy the Nexcorium variant of the Mirai botnet. This malware targets TBK DVR-4104 and DVR-4216 devices, leveraging weak security settings and known exploits. It establishes persistence and can launch DDoS attacks. Additionally, automated scans for CVE-2023-33538 in EoL TP-Link routers were detected, although attempts were flawed. Users are advised to replace unsupported devices and avoid default credentials.
2026-04-18 | Cyber Security News: Nexcorium-Associated Mirai Variant Uses TBK DVR Exploit to Scale Botnet Operations
A new variant of the Mirai botnet, named Nexcorium, is exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR models to create a large-scale DDoS botnet. The malware employs a modular architecture, integrates legacy exploits like CVE-2017-17215, and uses brute-force attacks with default credentials. Nexcorium ensures persistence through multiple mechanisms and communicates with a C2 server for attack directives. Organizations are urged to patch vulnerabilities and secure IoT devices.
2026-04-18 | Security Affairs: Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks
A Mirai variant named Nexcorium exploits a command injection flaw (CVE-2024-3721) in TBK DVRs and outdated TP-Link routers to launch DDoS attacks. Researchers from Fortinet report that attackers use this vulnerability to deploy malware, expanding their botnet by targeting unpatched devices. Nexcorium features multiple persistence methods and supports various DDoS attack types. It also incorporates exploits like CVE-2017-17215 and brute-force capabilities, enhancing its infection reach and adaptability.
2026-04-20 | Cyber Security News: Hackers Use CVE-2024-3721 to Infect TBK DVRs With Nexcorium DDoS Malware
A botnet campaign is exploiting CVE-2024-3721 in TBK DVR-4104 and DVR-4216 models to deploy Nexcorium malware, a Mirai variant for DDoS attacks. The vulnerability allows remote code execution via unauthenticated HTTP requests. Nexcorium also targets TP-Link routers using CVE-2017-17215. The malware maintains persistence, uses a C2 channel for commands, and employs brute-force attacks on other devices. Users are advised to replace affected devices and implement strong passwords and network segmentation.
2026-04-20 | Infosecurity Magazine: Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based Botnet
A malware campaign exploiting CVE-2024-3721 in TBK DVR systems has been identified, deploying a Mirai-based botnet called Nexcorium. Attackers use crafted requests to execute a downloader script that retrieves malware binaries for various architectures. The malware employs persistence techniques, modifies system files, and schedules tasks to maintain access. It supports multiple DDoS methods and can receive dynamic commands from a command server. Security experts emphasize the need for improved IoT device hygiene and agentless security solutions.
Date: 2026-04-17 | Source: TechCrunch
Bluesky confirmed that ongoing app outages are due to a sophisticated Distributed Denial-of-Service (DDoS) attack, which began on April 15, 2026. The attack has caused intermittent service interruptions, affecting feeds, notifications, and searches. Bluesky reported no evidence of unauthorized access to private data. The company is working on mitigation and will provide updates. Users are experiencing slow loading times and error messages, particularly on popular feeds.
2026-04-20 | Recorded Future: Bluesky blames app outage on ‘sophisticated’ DDoS attack
Bluesky reported that a "sophisticated" DDoS attack caused a significant outage starting April 15, disrupting core features like feeds and notifications. Engineers worked to mitigate the attack, which intensified throughout the day. The platform stabilized by April 16, with no unauthorized access to user data found. An Iran-linked group, 313 Team, claimed responsibility for the attack, targeting Bluesky's API. Bluesky has not confirmed this attribution. The platform has approximately 43.7 million users.
2026-04-21 | Security Affairs: Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility
Bluesky experienced a 24-hour DDoS attack starting April 15, 2026, causing service disruptions. The pro-Iran hacker group 313 Team claimed responsibility. The attack affected feeds, notifications, threads, and search functionalities. Bluesky reported no unauthorized access to user data and managed to limit the attack's impact. The group is known for politically motivated cyber activities, including DDoS attacks and phishing, and is linked to broader Iran-aligned cyber operations.
2026-04-22 | Hack Read: Bluesky Back Online After DDoS Attack, as Iran-Linked 313 Team Takes Credit
Bluesky experienced a Distributed Denial-of-Service (DDoS) attack starting on April 15, 2026, disrupting services for millions. The 313 Team, linked to Iran, claimed responsibility, targeting platforms seen as aligned with the US or Israel. Bluesky confirmed no unauthorized access to user data during the attack. By April 20, the platform reported stability and no evidence of data breaches, indicating that their cybersecurity measures effectively mitigated the attack.
Date: 2026-04-17 | Source: CSO Online
The US government is preparing to authorize Anthropic’s Claude Mythos AI model for use by federal agencies, amid concerns about its potential to identify and exploit cybersecurity vulnerabilities. Federal Chief Information Officer Gregory Barbaccia indicated that the Office of Management and Budget is establishing protections for this deployment. However, the internal memo did not specify which agencies would use the model or provide a timeline for implementation.
2026-04-20 | Times Now: US Security Agency Turns To Anthropic Despite Pentagon 'Supply Chain Risk' Warning
The US government is considering using Anthropic's AI model, Claude Mythos, which is designed to autonomously identify software vulnerabilities and prevent cyberattacks. Despite prior warnings from the Pentagon regarding supply chain risks, the model is viewed as a potential asset to enhance the government's cybersecurity measures.
2026-04-20 | DIGIT: Anthropic’s Mythos Lands It a White House Meeting
The US White House recently met with Anthropic's CEO to discuss collaboration on AI technology, particularly following the release of Claude Mythos, which enhances cyber defenses but also poses risks by exploiting vulnerabilities. Despite ongoing legal issues with the Department of Defense, the meeting indicates a shift in perception towards Anthropic. The firm’s new model, Opus 4.7, has reduced cyber capabilities but includes safeguards against misuse, with testing available through its Cyber Verification Program.
2026-04-20 | Malwarebytes Labs: Mythos: An AI tool too powerful for public release
Anthropic's Claude Mythos Preview is an advanced AI model capable of autonomously discovering and exploiting software vulnerabilities, posing significant cybersecurity risks. Limited access is granted to select organizations, including the NSA, for defensive purposes. Mythos can quickly identify multiple flaws and create complex exploit chains, potentially leading to faster and more sophisticated cyberattacks. The internal document warns that AI lowers the skill barrier for attackers, enabling less-skilled individuals to launch advanced operations.
2026-04-20 | Security Magazine: US Security Agency Leverages Claude Mythos Despite Pentagon Blacklist
The NSA is reportedly using Anthropic's Claude Mythos Preview, despite the Pentagon's supply-chain risk designation on the company. Announced on April 7, Mythos enhances cyber exploit identification and is currently in controlled deployment under Project Glasswing. Following discussions with the Trump administration, Anthropic aims to collaborate on cybersecurity and AI safety. The White House OMB plans to implement safeguards for government use of Mythos, ensuring appropriate protections are established.
2026-04-20 | TechRadar: US security agency still using Mythos despite ban – government using new security tool despite Pentagon's 'supply chain risk' designation
The NSA is reportedly using Anthropic’s Mythos Preview AI tool despite the Pentagon designating the company as a supply-chain risk. Mythos, part of Project Glasswing, can discover and exploit zero-day vulnerabilities. Anthropic previously refused a DoD request to weaken its AI guardrails, citing concerns over domestic surveillance and autonomous weapons. The tool is not publicly available and is limited to select software companies for security purposes. Neither the NSA nor Anthropic has commented on the situation.
2026-04-21 | Cyberscoop: Mythos can find the vulnerability. It can’t tell you what to do about it.
Mythos represents a significant advancement in AI-assisted vulnerability discovery, demonstrating the ability to find software vulnerabilities with unprecedented depth. However, it does not simplify the exploitation process or the operational challenges faced by enterprises. The real issue lies in prioritizing and remediating vulnerabilities effectively. Security leaders must prepare for a future where AI aids in scaling operations while maintaining human oversight, shifting from manual tasks to supervisory roles in cybersecurity.
2026-04-21 | Security Affairs: The US NSA is using Anthropic’s Claude Mythos despite supply chain risk
The U.S. NSA is utilizing Anthropic's Claude Mythos model despite the Department of Defense labeling it a supply chain risk. This highlights the tension between the need for advanced cybersecurity tools and concerns about their misuse. Mythos, capable of identifying vulnerabilities, is part of Project Glasswing, which aims to enhance software security through collaboration with major tech firms. Anthropic is investing $100M to improve defenses, emphasizing the need for responsible deployment of AI in cybersecurity.
2026-04-22 | Times Now: Sam Altman Says Anthropic Is Scaring People To Promote Its Mythos AI
Anthropic's Mythos AI has been described as extremely powerful and potentially dangerous, with the ability to identify software vulnerabilities and autonomously exploit them. AI researcher Nicholas Carlini's tests revealed that Mythos can create its own hacking tools, posing risks to platforms such as Linux. To mitigate these risks, Anthropic has limited the AI's use to a select group of enterprises to prevent misuse in cyberattacks.
2026-04-22 | Times Now: Panic In Anthropic Office As Someone Accessed Claude Mythos Without Authorisation
Panic ensues at Anthropic as an unauthorized group gains access to the Mythos AI model, raising concerns about its potential use as a hacking tool. The group claims to have had access since the model's inception. This incident highlights the urgency for firms to bolster their security measures against malicious actors ahead of the model's public release.
2026-04-22 | The Guardian: Anthropic investigates report of rogue access to hack-enabling Mythos AI
Anthropic is investigating unauthorized access to its Mythos AI model, which poses cybersecurity risks. A small group accessed Mythos through a third-party contractor's credentials, coinciding with its limited release to companies like Apple and Goldman Sachs. Although the users are not running cybersecurity prompts, concerns arise over Mythos's ability to identify IT system flaws, potentially enabling cyber-attacks. The UK’s AI Security Institute warns that Mythos represents a significant escalation in cyber-threat capabilities.
2026-04-22 | CSO Online: Anthropic bets on EPSS for the coming bug surge
Anthropic's Mythos has exacerbated challenges in vulnerability management by increasing the volume of discovered vulnerabilities without clear prioritization. The AI-driven system accelerates the identification and potential exploitation of software flaws, prompting defenders to urgently assess which vulnerabilities necessitate immediate action. This situation highlights the need for effective strategies to manage the influx of vulnerabilities in the security landscape.
2026-04-22 | TechRadar: Mythos and friends could be a 'net positive' for UK cyber security defenses but only if they're secured, says top cyber official
Richard Horne of the NCSC stated that AI tools like Anthropic's Mythos Preview could enhance UK cybersecurity if properly secured. Mythos, part of Project Glasswing, excels at discovering zero-day vulnerabilities, prompting its limited release to select software companies. Mozilla reported that Mythos identified 271 vulnerabilities in Firefox 150, a significant increase from previous models. Horne emphasized that frontier AI could help defenders outpace cybercriminals if accompanied by appropriate regulations.
2026-04-22 | TechRadar: Mythos accessed by unauthorized users as Anthropic says 'We’re investigating' — Cracks may be showing in Project Glasswing as unknown users access model via third parties
Unauthorized users have accessed Anthropic's Claude Mythos model, which can identify software vulnerabilities, raising security concerns. The access was facilitated through guesswork and third-party connections, including details from a data breach at AI-recruitment startup Mercor. Anthropic is investigating the unauthorized access, stating it has no evidence of exploitation beyond a third-party vendor's environment. The situation highlights potential vulnerabilities in Project Glasswing, which restricts access to the model for security purposes.
2026-04-22 | DIGIT: Anthropic Investigates Claimed Unauthorised Access to Mythos
AI firm Anthropic is investigating claims of unauthorized access to its unreleased Claude Mythos model, reportedly accessed through a third-party vendor environment. While no evidence suggests that Anthropic's systems were compromised or that the users are malicious, concerns arise regarding AI firms' ability to secure their models. The Mythos model, designed to identify and exploit vulnerabilities, was shared with select firms for testing, raising alarms about potential misuse if publicly accessible.
2026-04-22 | The Guardian: What is Mythos AI and why could it be a threat to global cybersecurity?
Anthropic's AI model, Mythos, poses a significant cybersecurity threat due to its ability to identify and exploit zero-day vulnerabilities in major IT systems and web browsers. Despite being withheld from public release, unauthorized access was reported, raising concerns about its potential misuse. The AI Security Institute noted Mythos's advanced capabilities, including executing complex cyber-attacks. While some experts caution against hype, they acknowledge its potential impact on cybersecurity practices and the urgency for businesses to upgrade outdated technologies.
2026-04-22 | Security Magazine: Unauthorized Users Accessed Claude Mythos, New Reports Suggest
Unauthorized users reportedly accessed Anthropic’s AI model, Claude Mythos Preview, by altering a model name. This incident raises concerns among security experts due to Mythos's ability to identify digital vulnerabilities. The access occurred on the same day of the model's limited release. Anthropic is investigating potential access through third-party vendor environments, with no breaches detected outside this context. Experts emphasize the need for software teams to enhance code security to prevent exploitation of vulnerabilities.
2026-04-22 | Microsoft Security: AI-powered defense for an AI-accelerated threat landscape
Recent advancements in AI are reshaping cybersecurity, enabling faster vulnerability discovery and exploitation. Microsoft emphasizes the need for organizations to adapt their security strategies, leveraging AI for vulnerability detection and mitigation. Through initiatives like Project Glasswing, Microsoft collaborates with industry partners to enhance security measures. Key areas of focus include AI-led vulnerability management, reducing exposure, and developing scalable AI-powered solutions. Continuous updates and proactive measures are essential for effective defense against evolving threats.
2026-04-22 | Hack Read: Discord-Linked Group Accessed Anthropic’s Claude Mythos AI in Vendor Breach
Unauthorized access to Anthropic's Claude Mythos AI occurred via a third-party vendor, with users from a Discord channel exploiting shared accounts and API keys. The breach was reported on April 21, 2026, and involved individuals familiar with Anthropic's URL conventions. While the group claims to be testing the model rather than using it maliciously, the AI's capabilities include identifying and exploiting software vulnerabilities, raising significant security concerns. Anthropic is investigating the incident.
2026-04-22 | The Register: Anthropic's super-scary bug hunting model Mythos is shaping up to be a nothingburger
Anthropic's Mythos model, designed for vulnerability detection, faced unauthorized access through a third-party vendor, raising concerns about insider and supply-chain threats. Despite initial hype, early user reports indicate Mythos does not surpass human researchers in finding vulnerabilities. Claims of thousands of high-severity vulnerabilities have been challenged, with some researchers suggesting the model's effectiveness is overstated. Overall, experts deem the unauthorized access and potential risks as minimal, labeling the situation a "nothingburger.
2026-04-23 | The Hacker News: Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?
Anthropic's Project Glasswing, an AI model, discovered numerous software vulnerabilities, including a 27-year-old bug in OpenBSD. Despite its effectiveness, fewer than 1% of these vulnerabilities were patched, highlighting a significant gap in the cybersecurity ecosystem. The article emphasizes the need for organizations to adapt their security programs to handle the influx of findings, focusing on signal-driven validation, context-specific prioritization, and closed-loop remediation to keep pace with rapidly evolving threats.
2026-04-23 | Security Magazine: Security Leaders Discuss the Claude Mythos Breach
The Claude Mythos breach involved unauthorized access through a third-party contractor's credentials, highlighting vulnerabilities in access controls. Security leaders emphasize the need for improved AI-enabled cybersecurity measures and rapid patching to counter sophisticated threat actors. The breach raises concerns about the weaponization of AI tools for vulnerability discovery. Recommendations include enhanced visibility, anomaly detection, and microsegmentation to contain potential threats. The incident underscores the importance of securing third-party access pathways.
2026-04-23 | TechRadar: Australia joins countries trialing Claude Mythos 'to make sure we are aware of emerging vulnerabilities'
The Australian government is collaborating with Anthropic and other providers to monitor emerging cybersecurity vulnerabilities using Anthropic's Mythos Preview, part of Project Glasswing. Mythos is claimed to be capable of discovering and exploiting vulnerabilities at scale, though it remains unreleased to the public. The initiative has sparked debate over its potential impact on cybercrime and concerns about misuse if it falls into the wrong hands. No public release date for Mythos has been announced.
Date: 2026-04-17 | Source: Cyber Security News
A newly identified malware, ZionSiphon, targets Israeli water treatment and desalination facilities, posing a significant threat to critical infrastructure. It features hardcoded Israeli IP addresses and politically charged messages, indicating ideological motivations. The malware can manipulate chlorine dosing and pressure levels, potentially making water unsafe. It employs stealth techniques for persistence and scans for industrial control devices using Modbus and other protocols. Darktrace emphasizes the need for continuous monitoring in IT and OT environments to detect such threats.
2026-04-17 | Security Affairs: Inside ZionSiphon: politically driven malware aims at Israeli water systems
ZionSiphon is a politically motivated malware targeting Israeli water systems, capable of altering hydraulic pressure and chlorine levels. Analyzed by Darktrace, it uses techniques like privilege escalation and removable media propagation. The malware contains hardcoded IP ranges specific to Israel and includes political messages. However, it currently fails its targeting logic due to a mismatch in its encryption function, preventing activation. This suggests it is still under development, highlighting a trend in OT-targeted malware.
2026-04-17 | Hack Read: New ZionSiphon Malware Discovered Targeting Israeli Water Systems
Researchers at Darktrace have identified ZionSiphon, a new malware targeting Israeli water treatment plants, designed to manipulate Industrial Control Systems (ICS) settings. It uses protocols like Modbus and S7comm and can spread via USB drives. The malware disguises itself as a normal Windows process and includes a list of specific Israeli plant locations. Despite its intent to cause harm, coding errors may lead to self-destruction. The report emphasizes the need for vigilance in monitoring critical infrastructure.
2026-04-20 | Risky.Biz: Risky Bulletin: New malware tries to sabotage Israel's water system but fails because it's buggy
Security researchers at Darktrace discovered a new malware, ZionSiphon, aimed at sabotaging Israel's water management network. It targets operational technology systems within Israeli IP ranges and attempts to manipulate water pump pressure and chlorine levels. However, a bug prevents it from functioning correctly, causing it to self-delete. The malware is suspected to be linked to Iranian hackers, continuing a trend of cyberattacks against Israeli water companies since 2020.
2026-04-20 | The Hacker News: Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems
Cybersecurity researchers have identified ZionSiphon malware targeting Israeli water treatment and desalination systems, first detected on June 29, 2025. It features persistence, privilege escalation, and sabotage capabilities, specifically manipulating chlorine and pressure controls. The malware targets specific IPv4 ranges in Israel and includes self-destruct mechanisms for non-target systems. Additionally, it can propagate via removable media. The malware is still in development, with incomplete functionality.
2026-04-20 | Infosecurity Magazine: ZionSiphon Malware Targets Water Infrastructure Systems
ZionSiphon is a newly identified malware targeting water infrastructure systems, discovered by Darktrace. It combines endpoint compromise techniques with functions for industrial control systems (ICS), featuring privilege escalation, persistence, and USB propagation. The malware manipulates configuration files for chlorine dosing and pressure, scans for ICS devices, and embeds politically charged messages. Despite its capabilities, flaws in its execution logic limit its effectiveness, indicating it may still be under development.
Date: 2026-04-17 | Source: The Register
Mohan Pedhapati utilized Anthropic's Opus 4.6 model to create a Chrome exploit targeting the V8 JavaScript engine, incurring $2,283 in API costs. He highlighted the ease of exploit development with AI, warning that any determined individual could eventually exploit unpatched software. Pedhapati emphasized the need for developers to prioritize security and automate patching to mitigate risks, especially for applications using outdated Chrome versions, like Discord, which is nine versions behind.
2026-04-18 | Cyber Security News: Researcher Uses Claude Opus to Build a Working Chrome Exploit Chain
A security researcher demonstrated the use of Claude Opus to create a functional exploit chain targeting Google Chrome’s V8 JavaScript engine, specifically through the Discord application running an outdated version. The exploit combined two vulnerabilities: CVE-2026-5873, an out-of-bounds vulnerability, and a Use-After-Free flaw, achieving Remote Code Execution. The experiment required significant human oversight and cost approximately $2,300, highlighting the economic viability of AI-assisted exploitation amid slow vendor patching cycles.
2026-04-20 | Security Affairs: AI Model Claude Opus turns bugs into exploits for just $2,283
Claude Opus created a functional Chrome exploit for $2,283, demonstrating that AI can effectively weaponize vulnerabilities. The exploit was developed using Discord's outdated Chromium version, highlighting risks from unpatched software. Despite needing human guidance, AI accelerates exploit development, increasing the threat landscape. Experts warn that security patches can reveal vulnerabilities, and suggest improving development practices and patch management to mitigate risks. The trend indicates a growing gap between exploit creation and patching efforts.
2026-04-20 | DIGIT: Off-the-Shelf AI Models Are Getting Good at Hacking, Too
A study by Forescout reveals that off-the-shelf AI models have significantly improved in their ability to conduct vulnerability research and exploit development. Testing fifty AIs showed that all could handle vulnerability research, with half capable of producing functional exploits autonomously. Notably, models like Claude Opus 4.6 and Moonshot AI's Kimi K2.5 excelled in finding and exploiting vulnerabilities. Forescout warns that security professionals must adapt to this new threat landscape, emphasizing the urgency of patching vulnerabilities.
2026-04-20 | Palo Alto: Fracturing Software Security With Frontier AI Models
Frontier AI models significantly enhance the ability to discover software vulnerabilities, enabling autonomous zero-day discovery and complex exploit chaining. Open-source software faces heightened risks due to its transparency, allowing easier exploitation by attackers. Unit 42 recommends organizations adopt aggressive security measures, including strict code governance, rapid patching, and automated incident response, to counteract the accelerated threat landscape posed by these AI advancements.
2026-04-21 | Cyber Security News: AI-Powered Exploitation May Collapse the Patch Window for Defenders
AI is transforming cybercrime by enabling faster exploitation of software vulnerabilities. Unit 42 researchers found that AI models can autonomously identify vulnerabilities, connect weaknesses, and adapt during attacks, significantly reducing the time defenders have to respond. The report emphasizes the need for security teams to assume breach conditions, enhance endpoint protection, and automate incident response. Recommendations include stricter governance of open source software and urgent deployment of security measures to counteract AI-assisted threats.
Date: 2026-04-17 | Source: Cyber Security News
A zero-day vulnerability in Microsoft Defender, named “RedSun,” allows unprivileged users to escalate privileges to full SYSTEM access on fully patched Windows 10, 11, and Server 2019 and later. This exploit, tracked as CVE-2026-33825 with a CVSS score of 7.8, leverages a flaw in Defender's cloud file handling. Currently unpatched, it poses a significant risk in enterprise environments. Security teams should monitor for unusual Defender file write activity and implement detection rules until a fix is available.
2026-04-17 | Help Net Security: Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild
A security researcher released two additional zero-day exploits for Microsoft Defender, named “RedSun” and “UnDefend,” following a previous exploit. “RedSun” is a privilege escalation flaw, while “UnDefend” allows users to disable Defender updates. All three exploits are reportedly being used in the wild. Microsoft issued a fix for one vulnerability (CVE-2026-33825) on April 14. Huntress researchers have observed these exploits being utilized in attacks, prompting calls for an emergency patch from Microsoft.
2026-04-17 | Cyber Security News: Leaked Windows Defender 0-Day Vulnerability Actively Exploited in Attacks
Active exploitation of three leaked Windows Defender vulnerabilities, including CVE-2026-33825, has been confirmed. The exploit, BlueHammer, allows local users to escalate privileges to SYSTEM level on Windows 10 and 11. Tools RedSun and UnDefend were also released, targeting Windows systems. Microsoft patched BlueHammer in April 2026, but RedSun and UnDefend remain unpatched. Security teams are advised to apply updates, monitor for specific executables, and enforce least-privilege principles.
2026-04-17 | CSO Online: Another Microsoft Defender privilege escalation bug emerges days after patch
A newly disclosed vulnerability in Microsoft Defender allows for local privilege escalation to SYSTEM privileges. Named "RedSun," the proof-of-concept exploit demonstrates that Microsoft Defender mishandles cloud-tagged files, enabling attackers to overwrite protected system files. This issue surfaced shortly after a high-severity patch was released on April's Patch Tuesday. The exploit was shared by a GitHub user known as "Nightmare Eclipse," highlighting a significant flaw in the antivirus's file handling.
2026-04-17 | The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Huntress reports that three zero-day vulnerabilities in Microsoft Defender, codenamed BlueHammer, RedSun, and UnDefend, are being actively exploited. BlueHammer (CVE-2026-33825) and RedSun are local privilege escalation flaws, while UnDefend can trigger a denial-of-service condition. Microsoft addressed BlueHammer in recent Patch Tuesday updates, but RedSun and UnDefend remain unpatched. Exploitation activity has been observed since April 10, 2026, with Huntress isolating affected organizations to mitigate risks.
2026-04-17 | TechRadar: 'They mopped the floor with me and pulled every childish game they could': Disgruntled researcher releases second major Windows zero-day — claims Microsoft 'would ruin my life, and they did'
A researcher known as "Chaotic Eclipse" disclosed a new zero-day vulnerability in Microsoft Defender, named "RedSun," which allows local privilege escalation to SYSTEM by exploiting the antivirus's file rewrite behavior. This flaw affects Windows 10, Windows 11, and Windows Server with Defender enabled. The researcher expressed dissatisfaction with Microsoft's handling of vulnerability disclosures. Microsoft stated it investigates reported security issues and supports coordinated vulnerability disclosure.
2026-04-17 | TechCrunch: Hackers are abusing unpatched Windows security flaws to hack into organizations
Hackers have exploited three unpatched Windows vulnerabilities—BlueHammer, UnDefend, and RedSun—targeting organizations, as reported by Huntress. BlueHammer has been patched by Microsoft, but the other two remain unaddressed. The vulnerabilities affect Windows Defender, allowing high-level access to compromised systems. The researcher Chaotic Eclipse published exploit code online, prompting concerns about the rapid weaponization of these vulnerabilities. Microsoft emphasized the importance of coordinated vulnerability disclosure in addressing such issues.
2026-04-17 | Tomsguide: Over 1 billion Windows users at risk after disgruntled security researcher leaks Defender zero-days
A security researcher leaked three zero-day vulnerabilities in Microsoft Defender, affecting over 1 billion Windows users. The flaws, BlueHammer (CVE-2026-33825), RedSun, and UnDefend, allow local privilege escalation and exploitation by blocking updates. BlueHammer has been patched, but RedSun and UnDefend remain unaddressed. RedSun can grant SYSTEM privileges, enabling malware to overwrite system files. Users are advised to install the April 2026 updates and monitor for further patches while considering additional antivirus solutions for protection.
2026-04-18 | Security Affairs: Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access
Attackers are exploiting three zero-day vulnerabilities in Microsoft Defender, named BlueHammer, RedSun, and UnDefend, to gain elevated access. BlueHammer (CVE-2026-33825) has been patched, while RedSun and UnDefend remain unpatched. BlueHammer and RedSun allow local privilege escalation, while UnDefend causes denial-of-service, blocking updates. Real-world exploitation began on April 10, 2026, with proof-of-concept code released by researcher Chaotic Eclipse.
Date: 2026-04-17 | Source: The Hacker News
A high-severity vulnerability in Apache ActiveMQ, tracked as CVE-2026-34197 (CVSS score: 8.8), is actively exploited, prompting CISA to add it to its KEV catalog. It involves improper input validation allowing code injection via the Jolokia API. Affected versions include Apache ActiveMQ Broker before 5.19.4 and 6.0.0 before 6.2.3. Users should upgrade to versions 5.19.4 or 6.2.3. Organizations are advised to audit deployments, restrict access, enforce strong authentication, and disable Jolokia if unnecessary.
2026-04-17 | Security Affairs: U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-34197, a critical flaw in Apache ActiveMQ, to its Known Exploited Vulnerabilities catalog on April 17, 2026. This flaw, with a CVSS score of 8.8, allows authenticated attackers to execute arbitrary code via the Jolokia JMX-HTTP bridge. It affects versions prior to 5.19.4 and 6.2.3. CISA mandates federal agencies to remediate this vulnerability by April 30, 2026, and advises private organizations to review and address it as well.
2026-04-17 | Cyber Security News: CISA Warns of Apache ActiveMQ Input Validation Vulnerability Exploited in Attacks
CISA has issued a warning about a critical vulnerability in Apache ActiveMQ, tracked as CVE-2026-34197, due to active exploitation. This flaw involves improper input validation, allowing attackers to execute arbitrary code and gain unauthorized access. Organizations must patch systems by April 30, 2026, following BOD 22-01. Immediate actions include applying security updates, monitoring network traffic, and considering discontinuation of ActiveMQ if patches are unavailable. The threat level remains critical.
2026-04-17 | The Register: CISA tells feds to patch 13-year-old Apache ActiveMQ bug under active attack
CISA has mandated federal agencies to patch a 13-year-old vulnerability in Apache ActiveMQ, tracked as CVE-2026-34197, within two weeks due to active exploitation. The flaw allows authenticated users to execute arbitrary code via the Jolokia management API. Patches are available in versions 5.19.5 and 6.2.3. Many deployments use default credentials, making access easier. Over 8,000 ActiveMQ instances are publicly reachable, heightening the urgency for administrators to address this vulnerability.
Date: 2026-04-16 | Source: Palo Alto
Active exploitation attempts of CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, were detected. The vulnerability allows attackers to inject commands via the ssid1 parameter, but requires authentication. Flawed exploit attempts targeting the wrong parameter (ssid) were observed. TP-Link recommends replacing affected devices as no patches are available. The malware associated with these attempts resembles Mirai botnet variants, emphasizing the risks of default IoT credentials.
2026-04-17 | Cybersecurity Dive: TP-Link routers face exploitation attempt linked to high-severity flaw
Hackers are attempting to exploit a high-severity command injection vulnerability in end-of-life TP-Link routers, tracked as CVE-2023-33538. Disclosed in June 2023, exploitation attempts share similarities with Mirai-like botnets. Although large-scale attempts were detected, they have not been successful. Users are advised to replace unsupported routers and avoid default credentials. Concerns about TP-Link router security have been ongoing, with previous warnings about critical flaws in their devices.
2026-04-17 | Cyber Security News: Hackers Target TP-Link Routers With Mirai Malware in CVE-2023-33538 Exploitation Attempts
Hackers are exploiting CVE-2023-33538, a vulnerability in end-of-life TP-Link routers, to install Mirai-based malware. Affected models include TL-WR940N, TL-WR740N, and TL-WR841N. The flaw allows command injection via the web management interface. Attackers send malicious HTTP GET requests to execute commands that download the arm7 binary from a specific IP, integrating the router into a botnet. TP-Link advises replacing affected devices and changing default credentials to mitigate risks.
2026-04-20 | Security Affairs: CVE-2023-33538 under attack for a year, but exploitation still unsuccessful
Hackers have targeted CVE-2023-33538, a command injection vulnerability in outdated TP-Link routers, for over a year without successful exploitation. The flaw affects models TL-WR940N, TL-WR740N, and TL-WR841N. CISA added it to the KEV catalog in June 2025, mandating fixes by July 7, 2025. Exploitation attempts involved sending crafted HTTP requests to the router's web interface, but limitations in the firmware and authentication requirements hindered successful attacks.
Date: 2026-04-16 | Source: Cyberscoop
Authorities from 21 countries seized 53 domains and arrested four individuals linked to DDoS-for-hire operations, impacting over 75,000 cybercriminals in "Operation PowerOFF." The operation dismantled infrastructure supporting these services, obtaining data on 3 million user accounts and issuing warnings to participants. DDoS-for-hire tools, often easy to access, allow users to target various organizations for reasons ranging from curiosity to financial gain. The crackdown involved multiple international law enforcement agencies.
2026-04-16 | TechCrunch: European police email 75,000 people asking them to stop DDoS attacks
A coalition of global law enforcement, led by Europol, emailed over 75,000 individuals suspected of using DDoS-for-hire services as part of Operation PowerOFF. This initiative resulted in four arrests, the takedown of 53 domains, and 24 search warrants executed. Europol identified users by seizing servers linked to these services. DDoS attacks remain prevalent due to their ease of execution, with Cloudflare reporting a peak attack of 29.7 terabits per second last year.
2026-04-17 | The Hacker News: Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts
An international operation, dubbed PowerOFF, has seized 53 DDoS domains and arrested four individuals linked to DDoS-for-hire services used by over 75,000 cybercriminals. The operation disrupted access to these services and accessed databases containing over 3 million criminal accounts. Authorities from 21 countries participated, issuing 25 search warrants and sending warnings to identified users. DDoS-for-hire services enable even non-technical individuals to launch attacks, posing significant risks to various organizations.
2026-04-17 | TechRadar: Europol launches Operation PowerOFF — warns 75,000 DDoS users and takes down 53 domains
Europol's Operation PowerOFF has disrupted DDoS-for-hire services across 21 countries, resulting in four arrests and the seizure of 53 domains. Authorities executed 25 search warrants and uncovered information on three million criminal accounts. To deter users, 75,000 warning emails were sent, and over 100 URLs advertising these services were removed from search engines. The operation aimed to dismantle the infrastructure supporting DDoS attacks and raise awareness about the illegality of such activities.
2026-04-17 | Infosecurity Magazine: DDoS-For-Hire Services Disrupted by International Police Action in ‘Operation PowerOff’
A multi-national law enforcement operation, Operation PowerOff, led to the takedown of 53 domains linked to DDoS-for-hire services and the arrest of four suspects. Involving 21 countries, the operation disrupted illegal booter services and seized infrastructure supporting DDoS attacks, including databases with over three million criminal user accounts. Authorities sent 75,000 warning emails to users of these services, aiming to prevent further attacks.
2026-04-17 | Security Affairs: Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered
Operation PowerOFF, conducted on April 13, 2026, involved 21 countries seizing 53 DDoS-for-hire domains and arresting four suspects. The operation uncovered over 3 million criminal user accounts linked to these services, which allow users to pay for launching DDoS attacks. Authorities sent over 75,000 warning emails to identified users and initiated campaigns to raise awareness about the illegality of such services. Ongoing efforts aim to dismantle global DDoS networks and prevent future attacks.
2026-04-17 | Cybersecurity Dive: US joins nearly two dozen other countries in striking back against DDoS-for-hire platforms
The U.S. and 20 other countries executed Operation PowerOFF, seizing 53 domains linked to DDoS-for-hire services. Authorities made four arrests, executed 25 search warrants, and issued over 75,000 warnings to customers. DDoS booter services have targeted various victims, including schools and government agencies. The operation also led to the removal of over 100 URLs advertising these services. Federal prosecutors have charged at least 11 individuals in the past four years for running such services.
2026-04-17 | Recorded Future: Four arrested in latest ‘PowerOFF’ DDoS-for-hire takedown
Four individuals were arrested in a coordinated takedown of DDoS-for-hire platforms across over 20 countries, led by Europol. Authorities executed 25 search warrants and seized more than 50 domains, identifying around 75,000 users. The U.S. Justice Department also seized eight sites, including "Vac Stresser" and "Mythical Stress," which offered DDoS attack plans ranging from $45 to $950. These services targeted various victims, including schools and government agencies, as part of ongoing efforts to disrupt the DDoS industry.
2026-04-18 | Hack Read: Operation PowerOFF: 75K Users of DDoS-for-Hire Services Identified and Warned
Law enforcement completed a crackdown on DDoS-for-hire services on April 13, 2026, as part of Operation PowerOFF, involving 21 countries. The operation resulted in four arrests and the seizure of 53 domains. Authorities identified over 3 million criminal user accounts and sent 75,000 warning letters to users. The initiative aims to deter individuals, particularly youth, from engaging in DDoS attacks, which severely disrupt online services.
Date: 2026-04-16 | Source: ABC News
Google's annual ads safety report reveals that its AI tool, Gemini, successfully blocked over 99% of policy-violating ads in 2025, removing 8.3 billion ads, including 602 million related to scams. The company suspended over 4 million advertiser accounts for scam activity. Gemini analyzes vast data signals to assess advertiser intent, reducing incorrect suspensions by 80%. Experts note the ongoing battle between AI-generated scams and defenses, predicting an escalation in AI's role in both areas.
2026-04-17 | The Hacker News: Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul
Google announced updates to its Play policy aimed at enhancing user privacy and combating fraud, blocking over 8.3 billion ads in 2025. Key changes in Android 17 include a new Contact Picker for selective contact access and a streamlined location button for one-time precise location requests. Developers must justify ongoing access to contacts or precise location via a Play Developer Declaration. Google also reported using its AI model, Gemini, to effectively detect and block malicious ads, removing 602 million ads linked to scams.
2026-04-17 | Help Net Security: Google wipes out 602 million scam ads with Gemini on duty
Google's Gemini AI models have enabled the removal of 602 million scam ads in 2025, as part of efforts to combat malvertising on its ad network. The company blocked over 8.3 billion ads and suspended 24.9 million accounts, with significant regional actions including 1.7 billion ads removed in the US. Gemini enhances detection by analyzing intent rather than relying solely on keywords, improving response times to user feedback and allowing for quicker action against threats.
2026-04-17 | TechRadar: 'As threats evolve, Gemini keeps our defenses one step ahead': Google claims its AI helped it block over 8.3 billion malicious ads in 2025
Google's Gemini AI platform blocked over 8.3 billion malicious ads and suspended 24.9 million accounts in 2025, achieving a 99% success rate in detecting policy-violating ads. The AI analyzes billions of signals to preemptively identify and stop deceptive ads, including those generated by Generative AI. This proactive approach also includes an advertiser verification program to enhance security against scams and malicious content.
2026-04-20 | Cyber Security News: Google Uses Gemini AI to Stop Malicious Ads From Threat Actors – 8.3 billion ads Blocked
Google's integration of Gemini AI into its security infrastructure has led to the blocking of over 8.3 billion malicious ads in 2025, as detailed in its Ads Safety Report. The AI analyzes diverse data signals in real time, enhancing detection of complex scams. Key actions included suspending 24.9 million advertiser accounts and intercepting 602 million fraudulent ads. Gemini's nuanced detection reduced incorrect suspensions by 80%, balancing user safety with legitimate business operations.
Date: 2026-04-16 | Source: Microsoft Security
Microsoft Threat Intelligence reported on a macOS cyber campaign by North Korean actor Sapphire Sleet, using social engineering to compromise systems. By impersonating a legitimate software update, users were tricked into executing malicious AppleScript files, leading to credential theft and data exfiltration. The campaign exploits user-initiated actions to bypass macOS security. Microsoft shared findings with Apple, which implemented updates to counter the threat. Recommendations include user education and monitoring for suspicious activity.
2026-04-16 | The Register: North Korea targets macOS users in latest heist
North Korean group Sapphire Sleet targets macOS users through social engineering, using fake Zoom update prompts to deliver malware. The attack involves creating false recruiter profiles to lure finance professionals, leading to the installation of a malicious AppleScript disguised as a legitimate update. This script executes a multi-stage payload chain, harvesting sensitive data and credentials. Microsoft reported the campaign to Apple, which has since implemented protections, including Safari Safe Browsing and XProtect updates.
2026-04-17 | TechRadar: Microsoft experts warn North Korean attackers target macOS users with 'a highly reliable infection chain' to steal passwords, financial data and more — here's how to stay safe
North Korean threat actors, known as Sapphire Sleet (APT38), are targeting macOS users through fake job scams to deploy infostealer malware aimed at stealing cryptocurrencies. The attackers create fake companies and job offers, luring victims into a malicious Zoom call using a counterfeit application that installs the malware. Microsoft has alerted Apple, which has implemented automatic protections to detect and block these threats. The campaign exploits social engineering tactics to manipulate users into compromising their systems.
2026-04-17 | Cyber Security News: Fake Zoom SDK Update Delivers Sapphire Sleet Malware in New macOS Intrusion Chain
A North Korean threat actor, Sapphire Sleet, targets macOS users with a fake Zoom SDK update to deploy malware that steals passwords and cryptocurrency. The attack uses social engineering, posing as a job recruiter to convince victims to download a malicious AppleScript file. The malware bypasses macOS security by executing in a user-initiated context. It harvests sensitive data and uploads it to attacker-controlled servers. Recommendations include blocking .scpt files and monitoring system permissions.
Date: 2026-04-16 | Source: The Hacker News
Cisco has released patches for four critical vulnerabilities in Identity Services and Webex Services that could lead to arbitrary code execution and user impersonation. Key vulnerabilities include CVE-2026-20184 (CVSS 9.8) related to improper certificate validation in Webex, and CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186 (CVSS 9.9) involving insufficient input validation in Identity Services Engine. Users are advised to update to specific patched versions to mitigate risks.
2026-04-16 | Cyber Security News: Critical Cisco ISE Vulnerabilities Let Remote Attackers Execute Malicious Code
Cisco issued a security advisory on April 15, 2026, regarding critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). CVE-2026-20147 (CVSS 9.9) allows remote code execution via crafted HTTP requests, potentially leading to a denial-of-service condition. CVE-2026-20148 (CVSS 4.9) enables path traversal attacks to access sensitive files. No workarounds exist; upgrades to specific patched versions are recommended. The vulnerabilities were reported by Jonathan Lein of TrendAI Research.
2026-04-16 | Security Affairs: Cisco fixed four critical flaws in Identity Services and Webex
Cisco addressed four critical vulnerabilities in Identity Services and Webex that could enable code execution and user impersonation. The flaws include CVE-2026-20184 (CVSS 9.8), allowing unauthenticated access via improper certificate validation; CVE-2026-20147 (CVSS 9.9), permitting remote code execution by authenticated admin users; and CVE-2026-20180/CVE-2026-20186 (CVSS 9.9), which allow read-only admins to execute arbitrary OS commands. No evidence of public exploitation has been found.
2026-04-16 | CSO Online: Cisco Webex SSO flaw needs manual certificate update to fix
Cisco Systems issued advisories for critical vulnerabilities in Webex and Identity Services Engine (ISE). Admins using single sign-on (SSO) must install a new SAML certificate, as there are no workarounds. Affected customers can find certificate information in the Webex Control Hub Alerts center and use the SSO wizard for updates. Cisco confirmed the vulnerability on April 15, stating it had been addressed and was unaware of any malicious exploitation.
Date: 2026-04-16 | Source: Help Net Security
A threat actor targeting trucking and logistics companies compromised a load board platform on February 27, 2026, delivering a malicious payload via email. The actor maintained access for over 30 days, installing multiple remote access tools and using a fraudulent code-signing certificate to bypass security measures. The intrusion involved reconnaissance for financial access, including scanning for cryptocurrency wallets and banking credentials, with results exfiltrated to Telegram bots. This highlights evolving tactics in financial exploitation within the transportation sector.
2026-04-16 | Recorded Future: Cargo thieving hackers running sophisticated remote access campaigns, researchers find
Cybersecurity researchers from Proofpoint have uncovered sophisticated remote access campaigns targeting the trucking and logistics industry, leading to significant cargo thefts. Losses in North America reached $6.6 billion in 2025, largely due to digital attacks. The hackers used multiple remote access tools and a novel "signing-as-a-service" capability to maintain control. They also targeted financial credentials and services, exploiting vulnerabilities in small carriers with limited cybersecurity defenses.
2026-04-16 | Proofpoint: Cargo thieving hackers running sophisticated remote access campaigns, researchers find
Cybersecurity researchers from Proofpoint investigated cybercriminals targeting the trucking and logistics sector, revealing a rise in cargo theft losses to $6.6 billion in 2025. The hackers compromised a load board platform, deploying six remote access tools, including a novel "signing-as-a-service" capability to bypass security measures. They also targeted financial information, scanning for cryptocurrency wallets and PayPal credentials. The threat is exacerbated by the industry's vulnerability, particularly among small carriers lacking strong cybersecurity defenses.
2026-04-17 | Cyber Security News: Hackers Target Trucking and Freight Firms to Steal Real-World Cargo Shipments
A surge in cyber attacks targeting trucking and freight firms aims to steal physical cargo worth millions. In 2025, cargo theft losses in North America reached $6.6 billion, with criminals using phishing and remote access tools to redirect shipments. Attackers exploit vulnerabilities in logistics by posting fraudulent listings, hijacking email threads, and launching direct campaigns. Recommendations include restricting unauthorized RMM tool installations, enhancing network detection, and training users to recognize phishing attempts.
2026-04-19 | Security Affairs: Cyber attacks fuel surge in cargo theft across logistics industry
Cybercriminals are increasingly targeting logistics firms, with losses in North America reaching $6.6 billion in 2025 due to cyber-enabled cargo theft. Proofpoint researchers observed coordinated attacks using remote access tools to hijack cargo bids and divert payments. A notable incident involved a breach of a load board platform, where attackers delivered a malicious VBS file to gain persistent access. The report emphasizes the need for logistics organizations to monitor for unauthorized remote management tools and suspicious PowerShell activity.
Date: 2026-04-16 | Source: Infosecurity Magazine
A critical vulnerability in the model context protocol (MCP), created by Anthropic, could expose 150 million downloads and over 200,000 vulnerable instances. Researchers at Ox Security reported that the flaw allows arbitrary command execution, risking sensitive data access. Anthropic stated this behavior is by design, placing security responsibility on developers. Ox Security has issued over 30 disclosures and identified 10+ high-severity CVEs to mitigate risks. Experts warn this highlights significant security gaps in AI infrastructure.
2026-04-16 | TechRadar: 'This is not a traditional coding error': Experts flag potentially critical security issues at the heart of Anthropic's MCP, exposes 150 million downloads and thousands of servers to complete takeover
Ox researchers have identified a critical systemic vulnerability in Anthropic's Model Context Protocol (MCP), affecting over 200,000 instances and 7,000 servers, allowing for remote code execution (RCE). The flaw is inherent in MCP SDKs across multiple programming languages, including Python and Java. Despite researchers issuing 10 CVEs and recommending root patches, Anthropic claims the system operates as intended. The vulnerability can be exploited through various methods, including UI injection and prompt injection.
2026-04-16 | CSO Online: RCE by design: MCP architectural choice haunts AI agent ecosystem
A design flaw in Anthropic's Model Context Protocol (MCP) servers may lead to remote code execution (RCE) vulnerabilities. Unsafe defaults in MCP configuration over the STDIO interface pose significant risks, allowing attackers to execute commands on six official services of various companies and compromise thousands of public servers across over 200 popular open-source GitHub projects. Researchers from OX Security highlight the extensive impact of this architectural decision on the AI agent ecosystem.
2026-04-16 | The Register: Anthropic won't own MCP 'design flaw' putting 200K servers at risk, researchers say
A design flaw in Anthropic's Model Context Protocol (MCP) threatens 200,000 servers with potential takeover, according to researchers from Ox. They reported 10 high- and critical-severity CVEs linked to open-source tools using MCP. Vulnerabilities include unauthenticated command injection, allowing attackers to execute commands on servers without authentication. Affected projects include LangFlow and GPT Researcher. Despite disclosures, Anthropic has not issued patches, citing the behavior as expected.
Date: 2026-04-15 | Source: Recorded Future
NIST announced changes to its CVE enrichment process due to a surge in vulnerability submissions, stating it will only enrich records that meet specific criteria. This shift aims to focus on critical vulnerabilities, particularly those in a federal catalog of exploited vulnerabilities. NIST acknowledged a backlog of unprocessed CVEs and will categorize older records as "Not Scheduled." The agency will no longer provide its own severity scores, relying instead on submitters' assessments.
2026-04-15 | Cyberscoop: NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities
The National Institute of Standards and Technology (NIST) has narrowed its focus for analyzing vulnerabilities, prioritizing only CVEs listed in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog and critical software per Executive Order 14028. This change aims to stabilize the National Vulnerability Database (NVD) amid a surge in CVE submissions, which increased 263% from 2020 to 2025. NIST will not enrich CVEs outside this scope, impacting the vulnerability research community and shifting more authority to private organizations.
2026-04-16 | Infosecurity Magazine: NIST Drops NVD Enrichment for Pre-March 2026 Vulnerabilities
The US National Vulnerability Database (NVD) will cease enrichment for vulnerabilities reported before March 1, 2026, due to an overwhelming increase in CVE submissions, which surged by 263% from 2020 to 2025. NVD will adopt a risk-based approach, prioritizing vulnerabilities in critical software and those on the CISA's Known Exploited Vulnerabilities list. Users can request enrichment for unscheduled CVEs via email. In 2025, the NVD enriched nearly 42,000 CVEs, a 45% increase from previous years.
2026-04-16 | Cybersecurity Dive: NIST limits vulnerability analysis as CVE backlog swells
The National Institute of Standards and Technology (NIST) is revising its vulnerability analysis approach due to a significant backlog of cybersecurity vulnerabilities. NIST will now focus on detailed analyses of CVEs that are in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, used by the federal government, or classified as "critical software." NIST will continue to list all vulnerabilities but will not enrich those that do not meet the new criteria. The agency aims to prioritize vulnerabilities with the greatest potential impact.
2026-04-16 | Help Net Security: NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward
NIST is revamping the National Vulnerability Database (NVD) to focus on enriching only high-risk CVEs due to a 263% increase in submissions from 2020 to 2025. Moving forward, only CVEs affecting critical software or those in the CISA's Known Exploited Vulnerabilities catalog will be prioritized. NIST will cease adding its own severity scores and will not enrich CVEs published before March 1, 2026. This change aims to alleviate pressure on analysts and improve automated processing tools.
2026-04-16 | CSO Online: NIST cuts down CVE analysis amid vulnerability overload
The National Institute of Standards and Technology (NIST) is reducing its analysis of cybersecurity vulnerabilities due to an overwhelming volume of security flaws. NIST will now focus on enriching only the most critical CVEs, specifically those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, aiming to complete this enrichment within one business day of receipt. This change is intended to stabilize the program while developing automated systems for long-term sustainability.
2026-04-17 | Risky.Biz: Risky Bulletin: NIST gives up enriching most CVEs
NIST announced a new policy for the US National Vulnerability Database, stating it will only enrich CVEs for critical vulnerabilities due to budget constraints. This includes vulnerabilities in CISA's KEV database, software used by federal agencies, and "critical software." NIST will cease providing its own CVSS scores, relying instead on the scores from CVE issuers, which may lead to underreported severity. The policy took effect on April 15, 2024, amid a significant backlog of CVEs.
2026-04-17 | The Hacker News: NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
NIST has announced changes to its CVE enrichment process due to a 263% increase in submissions from 2020 to 2025. Effective April 15, 2026, only CVEs meeting specific criteria, such as those in CISA's KEV catalog or affecting federal software, will be enriched. Unenriched CVEs will be marked as "Not Scheduled." NIST enriched nearly 42,000 CVEs in 2025. Experts emphasize the need for organizations to focus on high-impact vulnerabilities and adapt to a proactive risk management approach.
2026-04-17 | Flashpoint: National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges
The National Vulnerability Database (NVD) is shifting to selective enrichment of CVE data due to a surge in submissions, focusing on critical vulnerabilities and those in the CISA KEV catalog. This change, effective from late 2023, means many CVEs will lack severity scoring and context, impacting security workflows. Organizations must adapt by seeking broader vulnerability intelligence and ensuring their processes can handle gaps in NVD enrichment to maintain effective risk management.
2026-04-20 | Cyber Security News: NIST Shifts to Risk-Based NVD Model as CVE Submissions Surge 263% Since 2020
NIST announced on April 15, 2026, a shift to a risk-based model for processing vulnerabilities in the National Vulnerability Database (NVD) due to a 263% increase in CVE submissions since 2020. The new prioritization focuses on high-risk vulnerabilities, including those in CISA's KEV Catalog and critical software per Executive Order 14028. Lower-priority CVEs will not receive immediate enrichment. NIST aims to address a backlog of unenriched CVEs while enhancing operational efficiency and transparency.
2026-04-20 | TechRadar: NIST is cataloging so many vulnerabilities it can only assign severity scores to the highest priority threats
NIST has modified its enrichment process for the National Vulnerability Database (NVD) due to a 263% increase in CVE submissions since 2020. Effective April 15, prioritization will focus on CVEs listed in CISA's Known Exploited Vulnerabilities catalog, federal software, and critical software per Executive Order 14028. Other submissions will be considered "lowest priority," but users can request enrichment via email. NIST warns that not all high-impact CVEs may be captured under this new system.
Date: 2026-04-15 | Source: TechRadar
McGraw Hill confirmed a data breach involving unauthorized access to a limited set of Salesforce-hosted data, attributed to a misconfiguration within Salesforce's environment. The ransomware group ShinyHunters claims to have stolen 45 million records, demanding a ransom by April 14, 2026. McGraw Hill stated that no sensitive data, including Social Security numbers or financial information, was compromised, contradicting ShinyHunters' claims regarding the significance of the stolen data.
2026-04-15 | Recorded Future: Educational company McGraw Hill says Salesforce misconfiguration led to data leak
Educational company McGraw Hill reported a data leak linked to a misconfiguration in a Salesforce database, affecting multiple organizations. The breach involved unauthorized access to a limited set of non-sensitive data, with no impact on McGraw Hill's internal systems or sensitive information. The ShinyHunters cybercriminal group claimed to have stolen 45 million Salesforce records, threatening to leak them unless a ransom is paid by April 14. McGraw Hill is collaborating with Salesforce to enhance security measures.
2026-04-15 | Security Magazine: McGraw Hill Data Breach Caused by Salesforce Misconfiguration
McGraw Hill reported a data breach linked to a Salesforce database misconfiguration, claimed by the cybercriminal group ShinyHunters, who allegedly accessed 45 million records. McGraw Hill stated the data involved was non-sensitive and did not include unauthorized access to its internal systems. Experts warn that even non-sensitive data can be exploited for phishing and identity fraud. Recommendations include tightening access controls and enhancing monitoring to prevent similar incidents. McGraw Hill is collaborating with Salesforce to improve security.
2026-04-16 | Cyber Security News: McGraw Hill Confirms Data Breach Exposing 13.5 Million Users’ Personal Data
McGraw-Hill confirmed a data breach affecting approximately 13.5 million users, disclosed in April 2026, due to a misconfiguration in its Salesforce environment. Over 100GB of data, including unique email addresses, full names, phone numbers, and physical addresses, was publicly released after an extortion attempt. Users are advised to be vigilant against phishing, monitor for suspicious activity, and update passwords. The incident highlights risks associated with cloud platform misconfigurations.
2026-04-16 | The Register: Textbook titan McGraw Hill on ransomware crew's reading list after 13.5M records exposed
Textbook giant McGraw Hill has been implicated in a data breach after a Salesforce misconfiguration exposed 13.5 million records, including names, phone numbers, and email addresses. The ShinyHunters ransomware group listed McGraw Hill on their leak site, claiming over 40 million Salesforce records were compromised. McGraw Hill stated the breach stemmed from a broader Salesforce issue and insisted there was no unauthorized access to its systems. Salesforce has not commented on the incident.
Date: 2026-04-15 | Source: The Hacker News
A critical vulnerability (CVE-2026-33032) in nginx-ui, an open-source Nginx management tool, allows full server takeover via an authentication bypass. The flaw, with a CVSS score of 9.8, enables attackers to exploit the unprotected /mcp_message endpoint. Successful exploitation can modify Nginx configurations and intercept traffic. Users are urged to update to version 2.3.4 or restrict access. Approximately 2,689 exposed instances exist globally, posing an immediate risk to unpatched deployments.
2026-04-15 | Infosecurity Magazine: Critical Nginx-ui MCP Flaw Actively Exploited in the Wild
A critical authentication bypass vulnerability in nginx-ui (CVE-2026-33032, CVSS 9.8) allows unauthenticated attackers to control nginx servers via a single API request. Discovered by Pluto Security, it exposes 12 MCP tools, enabling destructive actions and reconnaissance. Over 2,600 instances are at risk, primarily on default port 9000. A patch (version 2.3.4) was released shortly after disclosure. Recommendations include updating, disabling MCP, restricting access, and reviewing logs for unauthorized changes.
2026-04-15 | Security Affairs: CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access
A critical vulnerability in nginx-ui, tracked as CVE-2026-33032 (CVSS score 9.8), allows unauthenticated access to Nginx servers by exploiting the /mcp_message endpoint, which relies solely on IP whitelisting. Discovered by Yotam Perkal, attackers can take full control with just two HTTP requests. The flaw was patched in nginx-ui version 2.3.4, which added necessary authentication checks. Version 2.3.3 remains vulnerable.
2026-04-15 | CSO Online: Critical nginx UI tool vulnerability opens web servers to full compromise
A critical vulnerability in the open-source nginx UI web server configuration tool, identified as CVE-2026-33032, has been actively exploited by cybercriminals since March. Pluto Security, which discovered the flaw, published detailed information about it this week. The vulnerability was first noted on the National Vulnerability Database on March 30, coinciding with reports from VulnCheck and Recorded Future’s Insikt Group regarding its exploitation.
2026-04-16 | Cyber Security News: Nginx-ui Vulnerability Actively Exploited in Attack – Enables Full Server Takeover
A critical authentication bypass vulnerability in Nginx UI, tracked as CVE-2026-33032 (CVSS 9.8), is actively exploited, allowing unauthenticated remote attackers to take full control of affected servers. The flaw arises from a missing function call in the Model Context Protocol integration. With over 2,600 exposed instances, attackers can execute administrative tools, intercept traffic, harvest credentials, and disrupt services. Immediate updates to version 2.3.4 or disabling the MCP feature are recommended for mitigation.
2026-04-16 | Rapid7: CVE-2026-33032: Nginx UI Missing MCP Authentication
On March 30, 2026, a critical vulnerability (CVE-2026-33032) was disclosed for Nginx UI, allowing unauthenticated attackers to access privileged operations on Nginx servers due to missing authentication controls. The vulnerability, with a CVSS score of 9.8, was patched on March 15, 2026. Organizations are urged to update to version 2.3.6 to mitigate risks. Recorded Future reported exploitation in the wild starting April 13, 2026. Rapid7 customers can assess exposure with upcoming checks.
Date: 2026-04-15 | Source: Recorded Future
A pro-Russian hacker group attempted to breach a thermal power plant in western Sweden in spring 2025, but the intrusion was thwarted by the facility's security measures, according to Swedish officials. The attackers are believed to have links to Russian intelligence. This incident reflects a shift in tactics, with hackers moving from denial-of-service attacks to targeting operational technology systems. Similar cyber threats have been noted in Norway, Denmark, and Poland, highlighting risks to critical infrastructure in Europe.
2026-04-15 | TechCrunch: Sweden blames Russian hackers for attempting ‘destructive’ cyberattack on thermal plant
In early 2025, Russian government-linked hackers attempted a destructive cyberattack on a Swedish thermal power plant, which was thwarted by built-in protection mechanisms. Sweden's civil defense minister, Carl-Oskar Bohlin, highlighted the increasing danger of hybrid attacks beyond cyberspace. This incident reflects a trend of Russian hackers targeting critical infrastructure in Europe, following similar attacks on Poland and Norway's energy systems.
2026-04-16 | Security Affairs: Sweden reports cyberattack attempt on heating plant amid rising energy threats
Sweden reported a failed cyberattack on a heating plant in 2025, attributed to a pro-Russian group linked to Russian intelligence. This incident is part of a broader trend of attacks on critical infrastructure in Europe, including similar incidents in Poland affecting energy systems for 500,000 people. Over 150 sabotage incidents linked to Russia have been tracked since the invasion of Ukraine in February 2022, indicating a strategy of hybrid warfare aimed at destabilizing European support for Ukraine.
2026-04-16 | TechRadar: Russia hits European thermal power plant in attempted ‘destructive’ cyberattack – Pro-Kremlin hackers are engaging in ‘riskier and more reckless behavior’ in latest attempt to cripple Western critical infrastructure
Pro-Russian hackers attempted a destructive cyberattack on a thermal power plant in Sweden, which was thwarted by built-in defense mechanisms. The Swedish government linked the attackers to Russian intelligence, highlighting a shift towards riskier tactics against European critical infrastructure. This incident follows a pattern of increased cyber aggression from Russia since the Ukraine conflict began in February 2022, including previous attacks on various Western critical systems.
Date: 2026-04-15 | Source: US Department of Justice
Two U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced for facilitating a scheme that enabled North Korean IT workers to pose as U.S. residents and generate over $5 million for the DPRK. Kejia received 108 months and Zhenxing 92 months in prison for conspiracy to commit wire fraud and money laundering. They exploited stolen identities to access sensitive data from U.S. companies, including defense contractors. The case highlights ongoing efforts to combat North Korean cyber threats and protect national security.
2026-04-16 | Help Net Security: Two US nationals jailed over scheme that generated $5 million for the North Korean regime
Two US nationals, Kejia Wang and Zhenxing Wang, were sentenced to 108 and 92 months in prison, respectively, for a scheme that generated over $5 million for North Korea by placing IT workers in US companies under false identities. The operation, active from 2021 to October 2024, involved over 100 companies and resulted in at least $3 million in losses. It also exposed sensitive data, including information from a US defense contractor. The Justice Department recommends strengthening hiring controls and monitoring login activity.
2026-04-16 | Cyber Security News: Two U.S. Nationals Sentenced for Running Laptop Farm for DPRK Remote Workers
Two U.S. nationals were sentenced for operating a "laptop farm" scheme that infiltrated over 100 companies, generating over $5 million to fund North Korea's weapons programs. Kejia Wang received 108 months, and Zhenxing Wang 92 months in prison for conspiracy charges. The operation involved identity theft, KVM switch exploitation for remote access, and ITAR data exfiltration from a defense contractor. The DOJ's crackdown continues, with a $5 million reward for information on additional co-conspirators.
2026-04-16 | The Register: Americans who masterminded Nork IT worker fraud sentenced to 200 months behind bars
Kejia "Tony" Wang and Zhenxing "Danny" Wang were sentenced to a combined 200 months for facilitating North Korean IT worker fraud, generating $5 million through schemes involving over 100 US companies, including a defense contractor. They stole identities of 80 US citizens to help North Koreans pass employment checks. The scheme caused $3 million in losses to victim companies, with sensitive data accessed by a North Korean worker. Both were ordered to forfeit $600,000, with ongoing investigations for additional co-conspirators.
2026-04-16 | Infosecurity Magazine: US Nationals Jailed for Operating Fake Remote Worker Laptop Farms for North Korea
Two US nationals, Kejia Wang and Zhenxing Wang, were sentenced to 108 and 92 months in prison, respectively, for facilitating a scheme that deceived over 100 American companies into hiring North Korean workers posing as US residents. The operation generated over $5 million for North Korea using stolen identities and allowed access to sensitive data from military and AI firms. The FBI is pursuing additional co-conspirators involved in the scheme.
2026-04-16 | TechCrunch: Two Americans sentenced for helping North Korea steal $5 million in fake IT worker scheme
Two U.S. citizens, Kejia Wang and Zhenxing Wang, were sentenced for aiding North Korea in a scheme that generated $5 million by placing fake IT workers in U.S. companies. They managed "laptop farms" allowing North Koreans to appear as local employees, stealing identities of over 80 Americans and accessing sensitive data, including from an AI firm. The DOJ announced rewards for information on co-conspirators. This fraud supports North Korea's regime and weapons program amid international sanctions.
2026-04-16 | Recorded Future: New Jersey men given lengthy sentences for running North Korean laptop farms
Two New Jersey men, Kejia Wang (42) and Zhenxing Wang (39), were sentenced to over seven years in prison for facilitating North Korean IT workers' employment at U.S. companies, generating over $5 million for North Korea. They managed laptop farms, allowing remote access to corporate devices, and stole identities of about 80 U.S. citizens. The operation led to significant financial losses for American companies and involved sensitive data theft from a defense contractor. Both men will forfeit $600,000 and serve supervised release.
2026-04-16 | Cyberscoop: US nationals sentenced for aiding North Korea’s tech worker scheme
Two New Jersey men, Kejia Wang and Zhenxing Wang, were sentenced for facilitating North Korea's scheme to infiltrate U.S. businesses, generating over $5 million for the regime. They used shell companies to hire operatives, stealing sensitive files from a defense contractor. Kejia received nine years, while Zhenxing was sentenced to 92 months in prison. They stole identities of 80 U.S. residents and incurred over $3 million in damages for victim companies. Both were ordered to forfeit $600,000.
Date: 2026-04-15 | Source: Cisco Talos
Cisco Talos reports an increase in the misuse of the n8n AI workflow automation platform for phishing campaigns from October 2025 to March 2026. Attackers exploit n8n's webhook URLs to deliver malware and perform device fingerprinting. Notable campaigns involved emails masquerading as Microsoft OneDrive links that, upon interaction, downloaded malicious executables. Recommendations include behavioral detection of unusual traffic to n8n and sharing indicators of compromise to enhance security measures.
2026-04-15 | The Hacker News: n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails
Threat actors have exploited n8n, an AI workflow automation platform, since October 2025 to deliver malware via phishing emails. By using webhook URLs, attackers bypass security filters, making malicious payloads appear legitimate. In March 2026, email messages containing these URLs surged by 686% compared to January 2025. One campaign involved embedding a webhook link in emails disguised as shared documents, leading to malware downloads. Additionally, attackers use n8n for device fingerprinting through invisible tracking pixels.
2026-04-16 | Cyber Security News: Hackers Abuse n8n AI Workflow Automation to Deliver Malware Through Trusted Webhooks
Cybercriminals are exploiting the n8n AI workflow automation tool to deliver malware via trusted webhooks. This tactic, observed from October 2025 to March 2026, involves creating free developer accounts to send phishing emails and malicious payloads. Cisco Talos researchers noted a 68% increase in n8n webhook URLs in March 2026. Attackers used these URLs to collect device information and deliver malware disguised as legitimate files. Recommendations include implementing behavioral detection and AI-driven email security solutions to mitigate risks.
2026-04-16 | Security Affairs: AI platform n8n abused for stealthy phishing and malware delivery
Attackers are exploiting the AI automation platform n8n to conduct phishing campaigns and deliver malware, leveraging trusted infrastructure to evade security measures. Cisco Talos reported that malicious emails mimicking OneDrive links direct users to CAPTCHA-protected pages, leading to downloads of backdoor tools like Datto RMM and ITarian RMM. Additionally, n8n is used for device fingerprinting via embedded tracking images in emails, highlighting the need for enhanced security measures for low-code automation platforms.
2026-04-16 | Cisco Talos: The Q1 vulnerability pulse
In Q1 2026, networking gear represented 20% of Known Exploited Vulnerabilities (KEVs), with CVE counts increasing, particularly in March. Cisco Talos reported a rise in the abuse of n8n for malware delivery via URL-exposed webhooks. Adobe patched a zero-day vulnerability in Acrobat and Reader after four months of exploitation. The FBI and Indonesian police dismantled the W3LL phishing network, which facilitated $20M in fraud attempts. Recommendations include implementing behavioral detection and restricting endpoint communication with automation platforms.
Date: 2026-04-14 | Source: Wired
OpenAI announced a new cybersecurity strategy and model, GPT-5.4-Cyber, aimed at digital defenders. This follows Anthropic's concerns about the risks of its Claude Mythos model. OpenAI emphasizes existing safeguards while acknowledging the need for advanced protections. Their strategy includes "know your customer" validation, iterative deployment for real-world feedback, and investments in software security. This initiative aligns with broader efforts, including Codex Security and a cybersecurity grants program.
2026-04-14 | CNET: OpenAI Has a New GPT-5.4-Cyber Model. Here's Why You Can't Use It
OpenAI has introduced the GPT-5.4-Cyber model, currently available only to verified cybersecurity testers for evaluation. This model aims to identify vulnerabilities and improve defenses against adversarial attacks. It is a fine-tuned version of GPT-5.4, designed with lower security guardrails for cybersecurity tasks. This initiative is part of OpenAI's Trusted Access for Cyber program, reflecting the growing need for enhanced security in AI amid increasing cyber threats.
2026-04-15 | Times Now: OpenAI's Answer To Anthropic Mythos? GPT-5.4-Cyber Introduced To Stop Cyberattacks Before They Begin
OpenAI has introduced GPT-5.4-Cyber, an AI model designed to enhance cybersecurity by preventing cyberattacks proactively. This model is described as ‘cyber-permissive,’ allowing for legitimate security queries without excessive blocking. It offers advanced defensive capabilities, including binary reverse engineering, enabling security professionals to assess compiled software for malware, vulnerabilities, and overall security without needing source code access. The announcement was made in a blog post on Tuesday.
2026-04-15 | Cyber Security News: OpenAI Launches GPT-5.4 with Reverse Engineering, Vulnerability and Malware Analysis Features
OpenAI has launched GPT-5.4-Cyber, a variant of GPT-5.4 tailored for cybersecurity, enabling vetted professionals to perform binary reverse engineering, vulnerability scanning, and malware analysis with fewer restrictions. The model is classified as “High” capability under OpenAI's Preparedness Framework. Alongside this, the Trusted Access for Cyber program is expanding to thousands of defenders, granting access to advanced workflows. Codex Security has already fixed over 3,000 critical vulnerabilities, highlighting the model's defensive capabilities.
2026-04-15 | The Hacker News: OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams
OpenAI launched GPT-5.4-Cyber, a variant of GPT-5.4 optimized for defensive cybersecurity, enhancing access for security teams. The initiative aims to empower defenders to identify and resolve vulnerabilities faster. OpenAI is expanding its Trusted Access for Cyber program while addressing concerns about AI misuse by adversaries. The AI-powered Codex Security has already helped fix over 3,000 critical vulnerabilities. The goal is to integrate security into development workflows for continuous risk reduction.
2026-04-15 | Help Net Security: OpenAI expands its cyber defense program with GPT-5.4-Cyber for vetted researchers
OpenAI is expanding its Trusted Access for Cyber (TAC) program, providing vetted cybersecurity defenders with prioritized access to GPT-5.4-Cyber, a version of GPT-5.4 tailored for defensive tasks. This model features enhanced capabilities for binary reverse engineering and reduced refusal boundaries for legitimate cybersecurity work. The program emphasizes democratized access, iterative deployment, and ecosystem resilience, while addressing the dual-use nature of AI in cybersecurity. Codex Security has already fixed over 3,000 vulnerabilities since its launch.
2026-04-15 | TechRadar: 'Trusted access for the next era of cyber defense': OpenAI reveals its Mythos rival, designed for cybersecurity pros to spot the next level of attacks
OpenAI has launched GPT-5.4-Cyber, a cybersecurity-focused variant of its GPT-5.4 model, designed to assist defenders in identifying advanced threats. This model features lower refusal boundaries for legitimate tasks and includes binary reverse engineering capabilities for detecting malicious code. Available through the Trusted Access for Cyber program, it will be scaled to thousands of verified users. OpenAI aims to democratize access compared to competitors like Anthropic's Mythos, which has limited availability.
2026-04-15 | Infosecurity Magazine: AI Companies to Play Bigger Role in CVE Program, Says CISA
AI companies like OpenAI and Anthropic are urged to enhance their involvement in the Common Vulnerabilities and Exposures (CVE) program, according to CISA's Lindsey Cerkovnik at VulnCon26 on April 14. The CVE program has seen rapid growth in reported vulnerabilities, with projections of 50,000 to 70,000 new CVEs in 2026. Anthropic's Claude Mythos Preview has autonomously identified numerous zero-day vulnerabilities, while OpenAI launched GPT-5.4-Cyber for cybersecurity applications.
2026-04-15 | Cyberscoop: OpenAI expands Trusted Access for Cyber program with new GPT 5.4 Cyber model
OpenAI is expanding its Trusted Access for Cyber program to thousands of individuals and organizations, introducing the GPT 5.4 Cyber model optimized for cybersecurity tasks. The program aims to enhance accessibility to advanced cybersecurity tools while enforcing strict Know-Your-Customer and identity verification rules to prevent misuse. OpenAI plans to enable broader participation from cyber operators to protect critical infrastructure and digital systems, emphasizing the importance of verification and accountability in access.
2026-04-15 | Infosecurity Magazine: OpenAI Unveils GPT-5.4-Cyber for Improving Cyber Defense With AI
OpenAI launched GPT-5.4-Cyber on April 14, a large language model tailored for cybersecurity, alongside an expanded Trusted Access for Cyber (TAC) program. This model is designed to enhance cyber defense capabilities by automating identity verification and providing advanced tools for vetted security vendors. OpenAI emphasizes the need for stronger verification to prevent misuse, acknowledging the dual-use nature of AI in cybersecurity. The initiative aims to improve software security through continuous risk reduction during development.
2026-04-16 | DIGIT: OpenAI Unveils GPT-5.4-Cyber Amid Bubbling AI Security Debate
OpenAI has launched GPT-5.4-Cyber, a cybersecurity-focused AI model designed to identify software vulnerabilities. This model features a "lower refusal boundary" for sensitive security queries and supports binary reverse engineering. Access is limited to vetted users through the Trusted Access for Cyber (TAC) program. OpenAI emphasizes a balanced approach to access and safeguards, alongside a broader strategy involving customer validation, iterative deployment, and investment in software security.
2026-04-16 | Hack Read: OpenAI Launches GPT-5.4-Cyber to Boost Defensive Cybersecurity
OpenAI has launched GPT-5.4-Cyber, an AI model optimized for defensive cybersecurity, enhancing tools for network defenders. The Trusted Access for Cyber program is expanded to thousands of authenticated users, aiding in identifying and patching vulnerabilities. A key feature, binary reverse engineering, allows security experts to analyze compiled software for malware without source code access. Access requires user verification to prevent misuse. OpenAI plans ongoing updates to improve system resilience throughout 2026.
2026-04-16 | Security Magazine: What Are Security Experts Saying About OpenAI’s GPT-5.4-Cyber?
OpenAI launched GPT-5.4-Cyber, a model for defensive cybersecurity, expanding its Trusted Access for Cyber (TAC) program to thousands of verified defenders. Security leaders emphasize the need for effective remediation processes, as AI-discovered vulnerabilities outpace human response capabilities. OpenAI's approach contrasts with Anthropic's, focusing on controlled access and oversight. Experts stress that while advanced tools are beneficial, challenges in patching and remediation remain critical in cybersecurity.
Date: 2026-04-14 | Source: TechCrunch
Dozens of WordPress plug-ins were taken offline after a backdoor was discovered, enabling malicious code distribution to websites using them. The backdoor was added following the acquisition of Essential Plugin, which has over 400,000 installs. The issue was highlighted by Anchor Hosting's Austin Ginder, who noted that this is the second hijack in two weeks. Users are advised to check for and remove the affected plug-ins, which are now permanently closed.
2026-04-15 | Times Now: Using WordPress? Delete These Plug-ins Before It’s Too Late
WordPress users are at risk due to compromised plug-ins that have changed ownership without notification, potentially allowing attackers to exploit trusted software. This incident marks a second occurrence of such vulnerabilities. Although WordPress has removed the affected plug-ins from its directory and marked them as ‘permanently closed,’ site owners who still have these plug-ins installed remain at risk. Users are advised to delete these plug-ins to mitigate potential threats.
2026-04-15 | Cyber Security News: Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware
A group of trusted WordPress plugins, known as Essential Plugin, contained a hidden backdoor for eight months before being activated in April 2026. The backdoor was introduced after a legitimate plugin business was purchased. The malware injected spam links and fake pages into the wp-config.php file, affecting hundreds of thousands of installations. WordPress.org closed all 31 plugins and issued a forced update, but the wp-config.php file remained compromised. Site administrators are advised to inspect their installations and remove affected plugins.
2026-04-15 | TechRadar: WordPress websites under attack — expert report says dozens of plugins hijacked to target thousands of sites
A malicious actor purchased 31 WordPress plugins from Essential Plugin, injecting backdoors that granted full access to thousands of websites. The injected malware fetched spam links and redirected traffic while remaining invisible to site owners, only displaying to Googlebot. The command-and-control server resolved through an Ethereum smart contract, complicating traditional takedown efforts. WordPress has since removed the compromised plugins, and users are advised to seek safer alternatives.
Date: 2026-04-14 | Source: The Hacker News
Cybersecurity researchers identified 108 malicious Chrome extensions affecting approximately 20,000 users, designed to steal Google and Telegram data. These extensions, published under five identities, communicate with a shared command-and-control infrastructure. They exfiltrate credentials, inject ads, and manipulate web sessions. Notable extensions include "Telegram Multi-account" and "Web Client for Telegram," which capture user tokens and strip security headers. Users are urged to uninstall these extensions and secure their accounts immediately.
2026-04-14 | Cyber Security News: Hackers Use 108 Chrome Extensions to Steal User Data Through Shared C2 Infrastructure
A cyber espionage campaign has exploited 108 malicious Google Chrome extensions to steal sensitive user data via a shared Command and Control (C2) infrastructure. These rogue extensions, disguised as legitimate tools, monitor web activity and harvest personal and corporate information, including session tokens that bypass multi-factor authentication. Organizations are advised to audit installed extensions, enforce strict policies, and monitor outbound traffic to mitigate risks.
2026-04-14 | Infosecurity Magazine: Malicious Chrome Extensions Campaign Exposes User Data
A campaign involving 108 malicious Chrome extensions has exposed data from approximately 20,000 users. These extensions, masquerading as legitimate tools, collect sensitive information and are linked to a single command-and-control infrastructure. Notable attack techniques include capturing web sessions via a Telegram extension and harvesting Google account details. The dual functionality of these extensions complicates detection. All extensions were still available at discovery, and takedown requests have been submitted.
2026-04-14 | Tomsguide: 108 malicious Chrome extensions found stealing data and injecting ads into every page you visit — delete them right now
108 malicious Chrome extensions were discovered, with over 20,000 downloads, designed to steal user data and inject ads. Identified by Socket, these extensions masquerade as games and utilities but share a common command-and-control server. Notably, 54 of them harvest sensitive Google account identifiers, posing significant risks. Users are advised to delete these extensions immediately and exercise caution when installing new ones, checking permissions and using Enhanced Safe Browsing for added security.
2026-04-15 | Times Now: More Than 100 Chrome Extensions Accused Of Data Theft On Google And Telegram, Here's The Full List
More than 108 Google Chrome extensions have been identified as malicious, designed to steal user data, inject harmful code, and hijack Telegram sessions. These extensions have collectively garnered around 20,000 installs from the Chrome Web Store. This revelation comes from cybersecurity researchers and was reported by Hacker News, highlighting ongoing concerns regarding the safety of browser extensions.
2026-04-15 | TechRadar: Google Chrome users beware — experts warn over 100 Web Store extensions found stealing user data from thousands of accounts
Over 100 malicious Chrome extensions have been discovered, stealing user data and authentication tokens from thousands of accounts. Security researchers identified 108 extensions, including Telegram clients and browser utilities, that inject malicious HTML and harvest personal information. The most concerning extension steals Telegram Web sessions every 15 seconds. Despite over 20,000 installs, Google has yet to remove them from the Web Store. Users are advised to uninstall these extensions immediately.
